Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

Michael Richardson <> Sun, 30 September 2018 21:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0935E130E18; Sun, 30 Sep 2018 14:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vPWpiJP9Zbqm; Sun, 30 Sep 2018 14:29:31 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F9E1130E14; Sun, 30 Sep 2018 14:29:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5BBBE20090; Sun, 30 Sep 2018 17:29:27 -0400 (EDT)
Received: by (Postfix, from userid 179) id E7D49AE0; Sun, 30 Sep 2018 17:29:27 -0400 (EDT)
Received: from (localhost []) by (Postfix) with ESMTP id E4287ACB; Sun, 30 Sep 2018 17:29:27 -0400 (EDT)
From: Michael Richardson <>
To: "Joel M. Halpern" <>, Randy Bush <>
cc: Brian E Carpenter <>, Christian Huitema <>,, IETF Rinse Repeat <>,, Security Directorate <>
In-Reply-To: <>
References: <> <> <> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sun, 30 Sep 2018 17:29:27 -0400
Message-ID: <3136.1538342967@localhost>
Archived-At: <>
Subject: Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 30 Sep 2018 21:29:34 -0000

Randy Bush <> wrote:
    > a stunning review as usual.  but i have two questions which you kind of
    > finessed.  they are simple binary, i.e. yes/no, questions that the end
    > user, to whom the IETF is ultimately responsible, really cares about.

    > if the manufacturer's servers go down, either permanently or even for
    > a day, does the device i have purchased still work?  i.e. is it fail
    > soft? [0]

First, BRSKI as used by ANIMA is specifically not targetted at Things.
(We are developing profiles of BRSKI that are about Things, but I think that
this internet-draft should not be be evaluated on that basis).

It's targetted at routers and other devices found at ISPs or Enterprises.

Whether or not the device continues to work after you take onwership is not
about this protocol.

Second, the only time the manufacturer's servers need to be alive is when
device ownership is claimed.   Once the device is claimed, it joins *YOUR*
network, and trusts your infrastructure, not the manufacturer.  Whether or
not the device will *operate* without the manufacturer's servers is really
outside of BRSKI.  However, if anything, we feel that as BRSKI creates a
strong connection between the device (the "pledge"), and the owner, that it
is much easier for the device to operate under the control of the owner
rather than exclusively the manufacturer's servers.

Joel M. Halpern <> wrote:
    > That answer seems to imply that if the MASA is down before I try to transfer
    > my device, and if the MASA is still down when the recipient tries to get my
    > device working, it won't work.

    > Which seems to mean that once a MASA goes down permanently, any new can not
    > get a device reliant on that MASA to work.

    > Seems a pretty severe limitation.

You are answering a different question than Randy asked, I think.
You are answer the question about whether the device can be resold.

This is a pretty important question and we have discussed it at length.
I remain concerned, but as far as I can see, we have this problem already.

It fundamentally depends upon a number of things which unfortunately, the
manufacturer has ultimate decision making about.  I hope that the market
will express itself, and the answers will result in environmentally
sustainable solutions rather than landfills.

Those things are:
   1) trivially, is the manufacturer alive, and willing to issue a new
      voucher to a new owner.  This is the easiest situation.

   2) if the manufacturer's software allows the domain owner to replace the
      MASA trust anchor with another one, then a different MASA could authorize
      the resale.

   3) if the manufacturer allows the entire software stack to be replaced,
      then in effect, a new manufacturer can be selected. (Think OpenWRT

In essence, all of these questions are about the degree to which the
manufacturer lets the owner control the software.  This is a tussle between
manufacturers that want to control it all, and owners who feel they should
control what the system does.

We think that BRSKI does not force either situation, but does deal with
some situations where a third party has inserted software between the point of
manufacturer and the owner.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-