IETF Logo Mail Archive

Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome

Eliot Lear <lear@cisco.com> Mon, 16 November 2020 12:50 UTC

Return-Path: <lear@cisco.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0613A0E6F; Mon, 16 Nov 2020 04:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJRtV2PdtQ9v; Mon, 16 Nov 2020 04:50:36 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77803A0E65; Mon, 16 Nov 2020 04:50:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21139; q=dns/txt; s=iport; t=1605531036; x=1606740636; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=uOrI9I/EmZdiNwZvTpe4YnhE8jgWDiwC1GSYhwhqb6M=; b=i9QTHKg17phzPY1PTCa17qPjst04gETVagR+yT42J7Brw1/JhKryetC6 A8qAZ19WhO6lUCvsnbO2Nxy4qRypzk3C0j4ol4QH53N+OMF9UmIBmbsyT EuPfJzgH25T4LvThi9fcz+l26i08smFceBHNXURlBs0zSqxAFvzbxdOfn I=;
X-Files: signature.asc : 488
X-IPAS-Result: A0ByAAB6dLJf/xbLJq1ZCRoBAQEBAQEBAQEBAwEBAQESAQEBAQICAQEBAYIPgSOBB0krVQEgEi6EPIkFh3gmgQWGZZRDBAcBAQEKAwEBGAEKDAQBAYRKAoIfJjgTAgMBAQEDAgMBAQEBBQEBAQIBBgRxhWEMhXIBAQEDAQEBIUsLBQsLEQQBAQEnAwICJx8JCAYTGwSDBwGCZiAPrRV2gTKFV4RXCgaBOIFTjAiCAIERJwwQghoHLj6CXQEBgTNigmEzgiwEmymBGptrgneDGoE3lkQDH6F5sEGDZAIEBgUCFYFrI4FXMxoIGxU7KgGCPj4SGQ2NKYECF4hihUVAAzA3AgYBCQEBAwmOSAEB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,482,1596499200"; d="asc'?scan'208,217";a="31092087"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Nov 2020 12:50:31 +0000
Received: from dhcp-10-61-99-159.cisco.com (dhcp-10-61-99-159.cisco.com [10.61.99.159]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 0AGCoUiP026386 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 16 Nov 2020 12:50:31 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <A8214369-216E-440B-8757-172416CDF02B@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_BD74D807-38E1-48C3-8131-00FDF02C643E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Mon, 16 Nov 2020 13:50:30 +0100
In-Reply-To: <b178d5066d6b4371a59ffe59bb6d6447@huawei.com>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
To: "Panwei (William)" <william.panwei@huawei.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Outbound-SMTP-Client: 10.61.99.159, dhcp-10-61-99-159.cisco.com
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/7cypw9QfdBYP0qqy3eoPKlbaK4s>
Subject: Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 12:50:39 -0000

Hi Wei Pan,

I agree with you that there is a need for something that doesn’t require devices to have a full PKI built in.  But there needs to be something unique about the device that it can express and prove.  Also, we should separate out two problems:

Proving the peer to the device
Providing the device to the peer

Each has slightly different characteristics, especially when it comes to certificates.  Nobody should expect a huge cert store to be on a light weight client.  As was said in the chat, that is one thing that BRSKI solves.  But DPP/POK also solves it without certificates, but still requires at least a public/private key pair. Less than that I do not know how to work the problem.

Eliot

> On 16 Nov 2020, at 13:02, Panwei (William) <william.panwei@huawei.com> wrote:
> 
> Thanks to Eliot for summarizing these.
> 
> I think the core concept of using DANE in IoT scenario is to get rid of certificates and PKIX. The solution of how to securely onboard the IoT devices and allocate the DNS domain name, both with and without initial certificates, is the key part to figure out.
> If the IoT devices have no initial certificates, such as 802.1AR IDevID certificate, as their initial identity, then the BRSKI mechanism won’t be appropriate for these devices because BRSKI has a requirement of IDevID.
> If the IoT devices have an IDevID certificate, I think it can still use BRSKI to onboard, but it won’t use EST to request a certificate any more, instead, it will apply for a DNS domain name by using some protocols.
> 
> That’s my preliminary thoughts, maybe not right.
> 
> Regards & Thanks!
> Wei Pan
> 
> From: Secdispatch [mailto:secdispatch-bounces@ietf.org <mailto:secdispatch-bounces@ietf.org>] On Behalf Of Eliot Lear
> Sent: Monday, November 16, 2020 6:55 PM
> To: secdispatch@ietf.org <mailto:secdispatch@ietf.org>
> Subject: [Secdispatch] DANE IOT proposed outcome
> 
> Thanks to Shumon for presenting the DANE use case for IOT.
> 
> We discussed taking this to the iot-onboarding@ietf.org <mailto:iot-onboarding@ietf.org> list as there were a number of rather big open issues that people wanted to discuss.
> 
> We also discussed a non-WG forming BOF to look at, as Ted put it, the broader context for onboarding.  To give people a feel for the sort of related work that is available, here are a list of related activities:
> 
> draft-ietf-anima-bootstrapping-keyinfra (BRSKI) is a request/response mechanism that uses RFC 8366 vouchers to introduce devices and network infrastructure.
> Intel’s SDO provides an application level introduction using vouchers as well.  This work has been taken up by the FIDO alliance.
> The Wifi Alliance has Device Provisioning Protocol (DPP) which does not attach to a global name space prior to provisioning having occurred, but does represent a minimum case (just public keys).
> draft-friel-eap-tls-eap-dpp borrows from DPP, intended mostly for wired use, where DPP is focused on 802.11 networks.
> There are a number of BRSKI related drafts by Owen as well, relating to cloud-based registrars.
> There is also work by Michael Richardson and Peter Van Der Stock on constrained vouchers.  That work is taking place in ACE.
> 
> Understanding the landscape might help us understand where DANE fits in.
> 
> Regards,
> 
> Eliot
> --
> Iot-onboarding mailing list
> Iot-onboarding@ietf.org <mailto:Iot-onboarding@ietf.org>
> https://www.ietf.org/mailman/listinfo/iot-onboarding <https://www.ietf.org/mailman/listinfo/iot-onboarding>

v2.23.0 | Report a Bug | By Email