[secdir] Re: [EXTERNAL] Re: Secdir early review of draft-ietf-scim-device-model-05

Mike Ounsworth <Mike.Ounsworth@entrust.com> Mon, 12 August 2024 16:07 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A1ABC169400; Mon, 12 Aug 2024 09:07:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.705
X-Spam-Level:
X-Spam-Status: No, score=-2.705 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDSalhDuTpkc; Mon, 12 Aug 2024 09:07:24 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6ADC1519A7; Mon, 12 Aug 2024 09:07:20 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47C9vEfq018207; Mon, 12 Aug 2024 11:07:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=mail1; bh=XR6BWJkk4Np78xskzciss8duynC3 5N6U/z6ZVWLrMUY=; b=iUQZKNALB6fgnpisxwdesMnQF28wgrTR7xWJ7hD76Vds swMCQW+P/J7sjuCCxewqEK+2eXHqDjJHUzSp3ZdUgk3ZlIO79KNc3u9PKVTO15mO WdazvcaFHdazJRAy8OeGmNtw0DLJyGsvAa2nGspY0bqo/2GSslGgxijTxjz3nCZd ZsIaICeHaU6xtBLQr2qsfF7WjJ113ZbAxKQIja99ryIBpRzq4/Il1+57WVSLhM0F mtYAdtPm0+Y0giB9diJHe7CUiq0U634R3SAR7iwQAvqll2ZlsJ7VhS6w1RW0/ME1 08AMBtDxJf0tNQxTxIFoEBekoTzPuYO1cW4WcAkMjw==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 40x4vy6vke-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Aug 2024 11:07:15 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YTYEvU5Ah1va8VBeGcbnxFyamLbS5MKANdpIofgJ3XCsNl9rnSTCeMPG/cRPEE8E0iZw15Ew/iRVPiEymdAhrHm6V1JN9CHHCIdsEtJiFiW0soYgRgZgHlB8HWr546YI7pAAnT4tb+bzyldWKfqLNgn5eBk+psTMGy1LK0s8gZzYxJ6ZRktig/3D+TOrlm/WPpeZPWCpdRdc6i7bEQ6sGqt6LH56J2f9bM/GFFMDyjcyH5uA02OOxAmVnxEPTWcGsAMwhBD6Ly6kGokQ41HYMxDX/7XxGrP/lRfMv+RUG5IGcOs3u6iOqzOVqH5+DZ3HIP0vq7Z+CybXiGZgqfs9/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cA1UCwueW4mnKRA9oeLs3M/bkUHpqLqFCbk92jvL8mo=; b=wpf2WlqxackaGhDVMDORgzIgBfgaeqGKeF4PlnXffvPPLJf4o/yBiuO8HJHC6/49tlulrcgaL1JirA4RqhXU57kyaiB2ltl4n3AUt6Js1rwqd+glbB+kjJPs2PQP2RVxW8iNLDtnOSb63F8KKtQog5KxXJ7lQSCL6XQe3uyA3dqpaM5FIrLrHucUxMScrpL/bX/S8lqzYpybZDh0tetahaPkVYCOqhfnlqcMyPrw5+CN4k2Sze5nK3AdCQXY12V5tEFqTQ3teESitXp+Lb2H8PNz5Wj23TT4hEgk66d2bBH1kQWk0iaN+n3vNvNTM+oBk36lJvCJDdQCNMfxHS27Ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MN2PR11MB4565.namprd11.prod.outlook.com (2603:10b6:208:26a::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.22; Mon, 12 Aug 2024 16:07:10 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702%4]) with mapi id 15.20.7828.031; Mon, 12 Aug 2024 16:07:10 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Eliot Lear <lear@cisco.com>
Thread-Topic: [EXTERNAL] Re: Secdir early review of draft-ietf-scim-device-model-05
Thread-Index: AQHa6m1jy6WNfkpum0WNFRmcdyj4+7IjzhvQ
Date: Mon, 12 Aug 2024 16:07:10 +0000
Message-ID: <CH0PR11MB57398823CE9EF2AE6ADD18E69F852@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <171993857668.677413.10023661713161206683@dt-datatracker-5f88556585-g8gwj> <246AE48A-A201-4E4F-8A28-FD0BF7EA823E@cisco.com>
In-Reply-To: <246AE48A-A201-4E4F-8A28-FD0BF7EA823E@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|MN2PR11MB4565:EE_
x-ms-office365-filtering-correlation-id: a011d74a-3547-4cc1-8a3e-08dcbae8d26c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018;
x-microsoft-antispam-message-info: LF2/NvfvsGVFjygblRBMU3UOkNJ15tI7JZ+Hs+BALC6yq1MNT9Ku4MA8aZHOrKqWw+aSlTBJbB4P1aLkhd6KvAC7HTqPNMEe+rwipRAL/2e0PlPSYp3wp60ea76dGfOdtiMnvIreeBKoTcBfsnpaQEDOLXv1xU3wj+MySQ+Lv+W+fAGkVpp+tVnq1O79bVPkKOaB0upncP8+tHxAFUDwGIBd6RCVD4mDJ9LcwdJ7PFVXlHtZUXg2NLQRk0J6MW0A2apk5yvwLrV1QFgfrtBAhOa+zsCLEBcPRG9DJ04A87XUfQJazVxAik1Sthd3wNb3dBg+CAXQpkasg3O3VxNyWryRkW/E0Htf1fqOCQ+KUN6Lej0R1ssMA3MF9plySbzhDcnjKDlmEVA/6g1A7Htv2eA+AoF4HLaLOihu2oWn3S1+JnZIQDA5/J6a3iS2Cag+ybxeJbIyutNj9bvTT4lQ2jD/z84LuvuUYFyyEUar5KE70fkUdiMhFU0XRjRLreEDkw8fQmGPnYv/Cw0tB4x8Bq5LtVdkJpbRTxJRbgPtmvgvDRsbmTvhUPBSopWifJejAH71+3oqb9b9SyBbL0T0Wfy/EPme2tSt7fBn8SBCYWuIIH1MdRw1zmfzfOSXWy+3bWZGxdJJegMb6hGBcgJfbyVGKLiZTU73a3irwHBxjNA6J2wrk7MLprJQ31R+NwNDDKdNdtMz0BqnW7FDYdEiFF0h6oOLyzTwXpxeGZhCDZlzOdQd/FtsPyz4m24Xkzj7FGqPIf7bcMGNGTaz3bInp7OKoVVKjty3eE0ySiA9bJFbnLxPqoDcsxKc3KDJpfABLwWOPe+4IjJSp/LsyW+FvWXHshl5MABIZ/GrRNwX/+Of0+KKjnbCQ9AG1WFbUIoLcqnMFzCQteLpOVo2WLkilcBtUm9lmkyOnR73j6BxZprh6o5qfKeN+t/xhZaDsADKjYvc6jB0zakTB32ohdfRXKqfiQk0SyJsMdA3y+0vI4qFoTFX5I0qBpsJruFdWEB3SQlsPHN/Y6BhAWKoeBGmrc6akF7M5wk+RJpre+wxFn5U+EFw/iVx2CPclGW7WMBg66xnxmnj3DYxuxWtO1c85fW60dk9BrjQaO0GzNdJEm+NUHNdkSQL9ZQHHuFcpVnrC0GNOpJhjtSzatbSvj182L4VLRDRjYLtVNeaB2H0QhOc06VDNVnVVIzMP8eZOEWtBFw9TgDu/nm3jLrPI9QnzGaCCOgEY5JWqZGoNxbA+NLxO+SO0jqvh5tEk8Wf1ngONJZEWoro2GuEdYk5eavH1TuWBfASvG6I43y0Ft+snXGTtcZ2nORTPYLcFS08DcmPYsyCPqhB00BDsOwj8o1xFWwuutJuCHkTJ6wJByhjNhs=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR11MB5739.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: J/efRUV/WBQsElVNT3Z1p+HlCgTEbrQCOMIVGfAocBgyypcsGM0vrVdN10VgBMgUtmxnhVDi05SgazQvuvxqs25W30vkXLDJ06l375YNdb6ekGORvGylO7tye9pjhfruoVILC4frnd18X4dDj/420rY5BOvT3ZS8g2pX8TqBi/fbS51D3U9k4RvqG6XA0f1ptXgBW6bHQwHvv3YV44uN/MECLdyj1Q6Akn2sXeSFsr5b2DZbKDlESNGN/NaDxF5ryCojaSQDk0+xdSwFThlN0LwHn8t1UcXQUN6m6QhyH52KUCnJtBsxEYH8LSeZe0nfwJQ3t9KfC6PK6qafrxw8u05LwT40ZahNs2ujwWpBKc6yHep+oj3I6MoOevyTp0LTBXAfGwMMqq+Uatj+YgiUapaMbrCMVDGdHQU9Eka+K8apPrIUtGDmlFIJncfgLA6oc35u2RDenRk1jkyXiOvm+oNPvx69OfpcPXl4owGJCxekQ5QKE/unjvxOvpWxkhbYjQGxc2hz0AAF490gmNob+xDM3h/torel2aSBG12j4/B6LosizBY+6dioN4QVRILPAfMS6xw+EIvUi4JBzcYbYHlpEDZzUBjub5z5XRhL5UkWkQFlmRtLTWLzyGhMU3ZRnGkihZrNhNU8o3Y7hs7Yw/9GkhUblPQATwb7TDBFzCGD8TjudtvDvyyi3elRn+/qLI88G+/fjgJzQYRG0zdMFbBw76BFYAotlhiI7XTOWy0GXyslar3t80VHebr0FiRPTdPCTcxOh+Fq9l54enoRnpGdvjJFV8PP/5rIwOF48C4quvc96FJdHoqOs+q3hy8s495zf/s2CAQXxiGwNwCdog3VZNIzTa4GrauKd+c7pKFjknsba8asoSr3szXxe1qlMDe/j26vc5Vhj4CVgScsnkYEYr4R/JEM2L5DDIfcoF0WFIWO8HYYPWn5GKfMOmHA5/z3xD3C0rOXIFUWRj0KxZZ/PEgmrmCoBHegSimTRxwB4fxno3JJjwbCag2UUSy3ViFzfkb/KWb23iQCLmtwxiOb9SyykEjO7Q3Pw+1ciLjQAin6OWzGVT8RuZ3PaD+1ZB+ieZsnHGf9Z43+TuuVKdJiPl2Nab+t6I74PX+jmytVNepquwV46mIix6+t+8VK8Z3my053WGrE6Q3YPwPz/DsxYGFv/pDv+Km220GlcXtVCi8fYNoYcdVEVQ1bEieMKEhrB4ztXvQhMnZX0/ufZ9W3Yl5KzLdw9UGFxLD34js9lWG7KK3cJ/c8jDr9AKGQXyzP1jcPnE2LCxnJeqNiG9bA8j/enf0+uyAS4xK5LaSKZplp+Ome8wVvGgXi5k9SEu+88j7yxxCTW3nMUdRh0nj/DjXHgzXFnMQZP+pBVnrwl+2EsdFjTl57JBVd0ZfNO3mDcPue1nXd75iIjlOtBhrI/08FkwwJX2bgL3+V4Fm7NFarZVmIXm3NA2GY/12+WpUzFI73+t2cHRPK1yZKO4g7yrseUNjWz8i4tGAArWviNClr0zbj3eUk/W0eZsg+r9WbCVCmc6QMTAgs/kciwq1ZYoYP80zFODStdGYBGA3O2Fc3RQQNmNdIiZ2Tf67o
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_086D_01DAECA7.C657B020"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a011d74a-3547-4cc1-8a3e-08dcbae8d26c
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2024 16:07:10.5063 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GIC2ZXlzyJ86WWesGabqZhiamuYSp3fWDpZkXB1uUG3MjCUJd/BC4K/AbXkS/+dEhI0vPRI3xg0wl+Vp/bBxRTXnM6GppYnA5V5dZ/Wd/cw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4565
X-Proofpoint-GUID: bJgpLbdJoQVT46jhCWN7LlVhNenLzejO
X-Proofpoint-ORIG-GUID: bJgpLbdJoQVT46jhCWN7LlVhNenLzejO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-12_08,2024-08-12_02,2024-05-17_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 lowpriorityscore=0 mlxscore=0 priorityscore=1501 suspectscore=0 mlxlogscore=999 phishscore=0 spamscore=0 bulkscore=0 malwarescore=0 clxscore=1011 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2407110000 definitions=main-2408120119
Message-ID-Hash: SFITCXORBLSSG6KZHGYGM5PWWBHIM5SB
X-Message-ID-Hash: SFITCXORBLSSG6KZHGYGM5PWWBHIM5SB
X-MailFrom: Mike.Ounsworth@entrust.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-scim-device-model.all@ietf.org" <draft-ietf-scim-device-model.all@ietf.org>, "scim@ietf.org" <scim@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [EXTERNAL] Re: Secdir early review of draft-ietf-scim-device-model-05
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/U2JTggJXDlMj8MzjwhehmmEZOjA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Hi Eliot,

 

I have reviewed the pull request, as well as the email below. I left a few small comments in the PR.

 

Overall, I think this is a good change set. It shows that the authors are putting more up-front thought into the security considerations. This document should undergo another top-to-bottom SECDIR review as it get closer to WGLC, but I think for now it’s going in the right direction.

 

---

Mike Ounsworth

 

From: Eliot Lear <lear@cisco.com> 
Sent: Friday, August 9, 2024 10:04 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: secdir@ietf.org; draft-ietf-scim-device-model.all@ietf.org; scim@ietf.org
Subject: [EXTERNAL] Re: Secdir early review of draft-ietf-scim-device-model-05

 

Hi Mike, This is part two in answer to your earlier review. I want to again thank you for your effort. All edits can now be found in: https: //github. com/iot-onboarding/scim-devices/pull/37 Can everyone take a good stare and see if we’re in the



Hi Mike,

 

This is part two in answer to your earlier review.  I want to again thank you for your effort.  All edits can now be found in:

 

https://github.com/iot-onboarding/scim-devices/pull/37 <https://urldefense.com/v3/__https:/github.com/iot-onboarding/scim-devices/pull/37__;!!FJ-Y8qCqXTj2!Ymfi3q-eqT8XEJGVWbJz8PKwPwIgeiCkWrfH5hO7Lz3Gk473cos6HkZYfD8DaqeiMwIpJBeA31LgBLI$> 

 

Can everyone take a good stare and see if we’re in the right ball park?

 

Please now see details below.





On 2 Jul 2024, at 18:42, Mike Ounsworth via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org> > wrote:


2. My comment on "Section 9 Security Considerations" really also sumarizes my
view on the document as a whole:

 

I have completely rewritten the security considerations section to discuss the type of operations.  It doesn’t go so far as to discuss each object, and so for the moment we have what amounts to coarse access control along the following philosophy:

 

1.  If the SCIM server grants access, it is granting the device access to the infrastructure.

2.  If the client provides credential information, it is granting access to the device, to one extent or another (depending on device type)

3.  Clients should only be able to manipulate objects they create.

4.  Even if a client deletes an object, the server may retain access to the device.  DELETE is merely an advisory signal in this case.

 






Section 6.3

I think this section in particular has serious issues. 

 

And so it did.  It’s getting an upgrade.  The intent is as follows:

 

Either the SCIM client is handed a client token or the client provides a root cert and a name, we think a DNS name by which it will authenticate.  We’ll post an update about that.  And yeah, we’ll do away with CNs everywhere.  And we’ll put some nasty words around tokens as well.

 





It's not clear to my
what security goal this section is trying to accomplish, so I'm judging it
based on what I think it's trying to accomplish, but that may not be right.
Starting this section with a statement of the design / security goal could help.

The certificate naming information seems under-specified, which could lead to
device impersonation attacks.

What are the types here. I assume String? This should be stated clearly so that
people don't try to place here a DER-encoded DistinguishedName, or
RelativeDistinguishedName (which is the actual defition of CN in RFC 5280).

Lower down in the section, it says:

"Note that attributes clientToken and certificateInfo are used for the
authentication of the application."

That is a pretty important note, and means that this entire section is a
security mechanism.

rootCN

Why only the CN and not the entire DN? Or better yet, the public key and forget
about the friendly-name entirely?

 

Done.

 

 

7

Again, I think this section would benefit from a statement of the design goal.

 

There is a generic design goal which is provide various types of device access.  We’ll make that clearer.

 






Is the SCIM database intended to be the source of truth for configuration of
the device? IE is the BLE device expected to reach out to the SCIM database to
pull its own config? (I suspect not since some of this config data is required
in order to successfully establish a network connection). So what is the
purpose of holding this data in the SCIM database? Is it for relying parties to
make security decisions about the device (ex.: ALLOW / DENY network access?).
Is it merely for network admins to inventory what's on their network and do
debugging? I think that knowing the intended purpose of this data will affect
how I read between the lines for security implications. For example, if SCIM is
a read-only copy of device config, then there are not really any security
concerns, but on the other hand, if write access to SCIM allows me to set BLE
pairing keys, then that places a huge trust relationship on the SCIM
infrastructure.

7.1.1

Editorial nit:

"irk

 ... It is required when addressType is TRUE."

A CTRL+F shows that `addresstype` is not defined in this document. What is it?
Can you add a link or reference to its definition?

 

Fixed.






Another editorial nit:

"mobility

 A boolean attribute to enable mobility on BLE device. If set to True, the BLE
 device will automatically connect to the closest AP."

Technically here we're talking about attributes set in the SCIM database,
right? I'm guessing that most BLE devices don't know or care what same SCIM DB
thinks its local config is. I'm nitpicking about the implication that changing
this value from TRUE to FALSE in the SCIM DB will cause the device to change
its behaviour. I'm guessing that what you mean is "a boolean attribute that
indicates whether the BLE devices is configured to …"

 

This is about the network rather than the device.  The wording was poor and is corrected.






7.1.3 BLE Pairing Method Extensions

Here we have detailed information about device pairing config, potentially
including pairing keys (pins). My comment above about whether this is READ-ONLY
or READ-WRITE applies. If write-access to SCIM allows SCIM admins to set
devices to `pairingNull` or `pairingJustWorks`, that would have large security
implications that need to be documented.

 

See the next update in Security Considerations.





7.2.1

bootstrapKey

Editorial nit:

"A string value representing Elliptic-Curve Diffie–Hellman (ECDH) public key."

How is this encoded? I assume Base64 or PEM? There are a few different flavours
of Base64 around, so I would expect this to say "... MUST be encoded in Base64
as per RFCxxxx", or "... SHOULD be encoded in Base64 as per RFCxxxx, but MAY be
encoded in other flavours of Base64", or something similar.

 

It says base64.

 

Eliot