[secdir] Re: Secdir early review of draft-ietf-scim-device-model-05
Eliot Lear <lear@cisco.com> Fri, 09 August 2024 15:04 UTC
Return-Path: <lear@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA51C14F61C; Fri, 9 Aug 2024 08:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.744
X-Spam-Level:
X-Spam-Status: No, score=-9.744 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mj2uBlTwuIuB; Fri, 9 Aug 2024 08:03:58 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1155AC14F6FD; Fri, 9 Aug 2024 08:03:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=14032; q=dns/txt; s=iport; t=1723215838; x=1724425438; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=ZzEDPWUY8uCm0U6LGaBz5wT6ot4fUlRZZvjSa8dgPWA=; b=aFk6x5PvR0suH/tgHFQtteSVHNDCB7wOtldqgiyre/aC9p+QhPQTRnmX CvBOxgTulF64BUGZ/hLEN0NCilEE3tB2zLmzrsB2tgm3myJdRadhjXTr9 N0wFo3uuWIrkY6wLOW//1cOCWJk8PWA3Q4OHm1cGvjB5p/ddkPEnUBegi s=;
X-CSE-ConnectionGUID: 9ECmBttnQd6l/TaMJZ58Rw==
X-CSE-MsgGUID: W8+IPTjUQFqCgd2ii2S9hw==
X-IPAS-Result: A0ABAAANL7ZmlxbLJq1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgXsFAQEBAQsBg0BZQ0iEVYgdX4hzA5FFhXeGVoF+DwEBAQ0BATkLBAEBhQYCiVQnNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQUBAQUBAQECAQcFFAEBAQEBAQEBNwVJhXUNhl0BAQEBAgEjTwcFCwsMDCoCAlYGE4MAAYJBIwMRrkN6gTKBAYR62x0GgUgBiEoBKoEyAoQGAYR2QoINgRUnG4JoPoJhAoFIg3M6gi8Ehw6DCEGBEDoCgiRSgXxpBAUGD4ISCiVogikED4EwYoFIgjkmdy2GRmGBKYgCSAplECIDJjMhAhEBVRMNCgsJBYlJCoF5gSopgUsmgQyDC4E1E4NmgWcMEk+IVAWBCS2BEYEhPQGCBoE6S4NegX9CP4JZdFZIAg0CUR1AAwsYDUgRLBQhFBsGPm4HpBUEDieBXAGBfgQHJgUBMjIEQxAiLi81JioPGTwSkkhVjyqEH4lrk06BPoQehG+HJY80hgsEL4QFjQCGfZFaZIgDkGyCVosllRwCLh9LAYQ6AgoHF4FnOkiBEzMaCBsVZQGCPD8TGQ+BG40SDQmDWMxiRDI7AgcBCgEBAwmNKwEB
IronPort-Data: A9a23:GxYRYqvKcz3/Bz9E96dI6KjXF+fnVGReMUV32f8akzHdYApBsoF/q tZmKTuFO62Ka2fxeNx+O462/UNVvcLRndJnTwY//Hs9RCIVgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0rrb/646yEhiMlkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuHaTdJ5xYuajhIs/Lb+Us11BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIwq8tcBEtS6 fohJG4JKSyKosCEneKBVbw57igjBJGD0II3s3x6iDreF/tjGtbIQr7B4plT2zJYasJmRKmFI ZFJL2A3N1KaOXWjOX9PYH46tOOlj2PXeDxDo1XTrq0yi4TW5FUqj+KxYYWNEjCMbfoF3Wegm mD7xkrgKR4Wbt2ekwHU8m3504cjmgugBdpNT+fnnhJwu3WIzW0WIBwbSVX9puO24mayQdtRN wkV9zYg6LM59UnuQtTjXha15XuDshMYHdNUF8U75R2DjK3O7G6xHWUPQj9bQN0rqMFwQiYlv neMntDkQztytqaKTmiB9p+Zqy+oJDMJa2QFYEc5oRAt6tT55YAriQjTC9BqDOi+j8b+Hnf7x DXiQDUCa6s73OMg0o+n4Vb+j2yo4aTAaywHu1XtQTfwhu9mX7KNa4ut4FndyP9PKoeFU1WM1 ETofeDAsIji6rnTyESwrPUxIV2/2xqSGBv46WOD/qXNFRzwphZPnqgJvFmSwXuF1O5eJ1cFh 2eK6GtsCGd7ZifCUEOOS9vZ5z4W5abhD8/5cfvfc8BDZJN8HCfeo3s1PBPKhT2yzRRy+U3aB Xt9WZvyZZr9Ifk4pAdau89HiNfHOwhnnzqKHsGhp/hZ+eHBOSTPIVv6DLd+RrtktPzf+lq9H yd3PMqRwBIXS/zlfiTS6sYSK1tMRUXX9riow/G7gtWre1I8cEl4Uqe56ep4K+RYc1F9y76gE oeVARQDljISRBTvdG23V5yUQOqwAcoj9SpmZXdE0JTB8yFLXLtDJZw3L/MfFYTLPsQ6pRKoZ 5Hpo/m9P8k=
IronPort-HdrOrdr: A9a23:WnsMBamN2fdIJkulZ7S89d6qLmXpDfIp3DAbv31ZSRFFG/FwWf re/8jztCWZtN9/YhAdcLy7UpVoBEm9yXcK2+Qs1MaZMzUO0VHAROpfBMnZsljd8kbFmNK1u5 0QEZSWcOeAaWSTSa3BkW+F+xFK+qjhzJyV
X-Talos-CUID: 9a23:q5BluWraN+1cEKfzAM6/68rmUZEIWXj30GvWGkPmDSFVQZi3ewLAwrwxxg==
X-Talos-MUID: 9a23:pdWB6Qyf0IyCE0Ge+9yNQb0RFMGaqJv+S2E1rZc7guedHiN8YTac1g/mQpByfw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,276,1716249600"; d="scan'208,217";a="13724970"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2024 15:03:56 +0000
Received: from smtpclient.apple ([10.61.156.21]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 479F3tdm027510 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 9 Aug 2024 15:03:55 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <246AE48A-A201-4E4F-8A28-FD0BF7EA823E@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0E50C78C-01E0-4061-8A88-BE8B0836B070"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Date: Fri, 09 Aug 2024 17:03:45 +0200
In-Reply-To: <171993857668.677413.10023661713161206683@dt-datatracker-5f88556585-g8gwj>
To: Mike Ounsworth <mike.ounsworth@entrust.com>
References: <171993857668.677413.10023661713161206683@dt-datatracker-5f88556585-g8gwj>
X-Mailer: Apple Mail (2.3776.700.51)
X-Outbound-SMTP-Client: 10.61.156.21, [10.61.156.21]
X-Outbound-Node: aer-core-3.cisco.com
Message-ID-Hash: SYA2ITMYAIKBFXOIXI6FREBKQKN26LGW
X-Message-ID-Hash: SYA2ITMYAIKBFXOIXI6FREBKQKN26LGW
X-MailFrom: lear@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-scim-device-model.all@ietf.org, scim@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir early review of draft-ietf-scim-device-model-05
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ozCtzFXs0B6m9Znbq-pJNcq-1Xo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Mike, This is part two in answer to your earlier review. I want to again thank you for your effort. All edits can now be found in: https://github.com/iot-onboarding/scim-devices/pull/37 Can everyone take a good stare and see if we’re in the right ball park? Please now see details below. > On 2 Jul 2024, at 18:42, Mike Ounsworth via Datatracker <noreply@ietf.org> wrote: > > 2. My comment on "Section 9 Security Considerations" really also sumarizes my > view on the document as a whole: I have completely rewritten the security considerations section to discuss the type of operations. It doesn’t go so far as to discuss each object, and so for the moment we have what amounts to coarse access control along the following philosophy: 1. If the SCIM server grants access, it is granting the device access to the infrastructure. 2. If the client provides credential information, it is granting access to the device, to one extent or another (depending on device type) 3. Clients should only be able to manipulate objects they create. 4. Even if a client deletes an object, the server may retain access to the device. DELETE is merely an advisory signal in this case. > > Section 6.3 > > I think this section in particular has serious issues. And so it did. It’s getting an upgrade. The intent is as follows: Either the SCIM client is handed a client token or the client provides a root cert and a name, we think a DNS name by which it will authenticate. We’ll post an update about that. And yeah, we’ll do away with CNs everywhere. And we’ll put some nasty words around tokens as well. > It's not clear to my > what security goal this section is trying to accomplish, so I'm judging it > based on what I think it's trying to accomplish, but that may not be right. > Starting this section with a statement of the design / security goal could help. > > The certificate naming information seems under-specified, which could lead to > device impersonation attacks. > > What are the types here. I assume String? This should be stated clearly so that > people don't try to place here a DER-encoded DistinguishedName, or > RelativeDistinguishedName (which is the actual defition of CN in RFC 5280). > > Lower down in the section, it says: > > "Note that attributes clientToken and certificateInfo are used for the > authentication of the application." > > That is a pretty important note, and means that this entire section is a > security mechanism. > > rootCN > > Why only the CN and not the entire DN? Or better yet, the public key and forget > about the friendly-name entirely? Done. > > 7 > > Again, I think this section would benefit from a statement of the design goal. There is a generic design goal which is provide various types of device access. We’ll make that clearer. > > Is the SCIM database intended to be the source of truth for configuration of > the device? IE is the BLE device expected to reach out to the SCIM database to > pull its own config? (I suspect not since some of this config data is required > in order to successfully establish a network connection). So what is the > purpose of holding this data in the SCIM database? Is it for relying parties to > make security decisions about the device (ex.: ALLOW / DENY network access?). > Is it merely for network admins to inventory what's on their network and do > debugging? I think that knowing the intended purpose of this data will affect > how I read between the lines for security implications. For example, if SCIM is > a read-only copy of device config, then there are not really any security > concerns, but on the other hand, if write access to SCIM allows me to set BLE > pairing keys, then that places a huge trust relationship on the SCIM > infrastructure. > > 7.1.1 > > Editorial nit: > > "irk > > ... It is required when addressType is TRUE." > > A CTRL+F shows that `addresstype` is not defined in this document. What is it? > Can you add a link or reference to its definition? Fixed. > > Another editorial nit: > > "mobility > > A boolean attribute to enable mobility on BLE device. If set to True, the BLE > device will automatically connect to the closest AP." > > Technically here we're talking about attributes set in the SCIM database, > right? I'm guessing that most BLE devices don't know or care what same SCIM DB > thinks its local config is. I'm nitpicking about the implication that changing > this value from TRUE to FALSE in the SCIM DB will cause the device to change > its behaviour. I'm guessing that what you mean is "a boolean attribute that > indicates whether the BLE devices is configured to …" This is about the network rather than the device. The wording was poor and is corrected. > > 7.1.3 BLE Pairing Method Extensions > > Here we have detailed information about device pairing config, potentially > including pairing keys (pins). My comment above about whether this is READ-ONLY > or READ-WRITE applies. If write-access to SCIM allows SCIM admins to set > devices to `pairingNull` or `pairingJustWorks`, that would have large security > implications that need to be documented. See the next update in Security Considerations. > 7.2.1 > > bootstrapKey > > Editorial nit: > > "A string value representing Elliptic-Curve Diffie–Hellman (ECDH) public key." > > How is this encoded? I assume Base64 or PEM? There are a few different flavours > of Base64 around, so I would expect this to say "... MUST be encoded in Base64 > as per RFCxxxx", or "... SHOULD be encoded in Base64 as per RFCxxxx, but MAY be > encoded in other flavours of Base64", or something similar. It says base64. Eliot
- [secdir] Secdir early review of draft-ietf-scim-d… Mike Ounsworth via Datatracker
- [secdir] Re: Secdir early review of draft-ietf-sc… Eliot Lear
- [secdir] Re: [EXTERNAL] Re: Secdir early review o… Mike Ounsworth