IETF Logo Mail Archive

Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 18 November 2020 15:10 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD913A0AC4; Wed, 18 Nov 2020 07:10:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WO89xVbLtHUa; Wed, 18 Nov 2020 07:10:10 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00047.outbound.protection.outlook.com [40.107.0.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2636B3A0AAD; Wed, 18 Nov 2020 07:10:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qec3iXH3AkitBU629P2HJ6Ff+PYphqzqYKYisz7B/yQ24ryK3+corFWV5MAn3OXME/YUaa7/5WeS5iXh9CzFGvTPd9aC1oI4IzgwpQAP8lRzPbIvQ0hb+V4AmfLRLU/c1FQjhJ7EtKVPrlJDV0N5EIy27hrREGUua1KqdyEUr4//67J9dpE6wxTdFSaKJEFADNQ7ePEgQO+fva+4ogjHmNcevG4sOubLSIJ9prKMAFzoMYWSR9kKG9Zv7t1MCHlVZZpAJ4eU7BaFrI152Di4wxWDfk6YBnp6E5uMXRP5ngvU9bDkC1t8L0c1S45LkCislmO+sqdN5EXd01tLxWb6kQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IUb8WPIGhvOiT9phvvaqALbKsd0suMDZiNSheYzXa90=; b=gz88/8vV3tetVeMDy1c/z64mk6p+Xwvij31977brT4JuSdl8qvIreDo5cIxXyVgx4smOhdMFhZg+elkggI8B7Kzr1h7X9IoOTS0cEFqhmHsdcrb4uXNQmWkHts3e90pr1YFv+gf1W4ZSFOMAxnPv+xMxUa1eU4uww7rwDIkXDp/p3WbvvjmDt6WFG40uc4SIAv6kzm3yt47niNvLcl7l5mKQWE6mqRTjmseYWClJB7qfcjcUYAH+A+bmuiWNHYOfMavu7GrMGI7JasaFq8GRRFa3vZAcAn+l/r59lfE0LeEb2zsDDUyD1VjmUcCeOdXI+0cg3rHQUajfZFLhYvv9ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IUb8WPIGhvOiT9phvvaqALbKsd0suMDZiNSheYzXa90=; b=rU5XNPQCqFA3BgTm7tY2sPqxOMyItaT48x10VVVZMsBpnW6T2x+1vRHL6cAZ5PyIWJDHzxtGGKbnMkozv7Rg/N1RTgApTxtq7bBG9LLBU/uTGyWopkUKCpjO8wNHp5UM3vJnPBtHQr/haA+tNao/0PPujMD6KffOuEmwieXQhhw=
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com (2603:10a6:802:1c::21) by VI1PR0701MB6767.eurprd07.prod.outlook.com (2603:10a6:800:194::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.15; Wed, 18 Nov 2020 15:10:07 +0000
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e]) by VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e%6]) with mapi id 15.20.3589.017; Wed, 18 Nov 2020 15:10:07 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Shumon Huque <shuque@gmail.com>, Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, IETF SecDispatch <secdispatch@ietf.org>
Thread-Topic: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Thread-Index: AQHWvaqFnnGKZdDDOEyooCaxxNmdOanN7aQAgAAQ0gA=
Date: Wed, 18 Nov 2020 15:10:07 +0000
Message-ID: <8f313965-c6e7-8c5f-4f04-9d3cd01ee41e@ericsson.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com> <dedb5fb7-f0bc-7e35-4f90-fddc2d093873@ericsson.com> <CAHPuVdVyfiLa0om8=-WZ+8yutTOYLLre1fKkSPjAdvhnffQhag@mail.gmail.com>
In-Reply-To: <CAHPuVdVyfiLa0om8=-WZ+8yutTOYLLre1fKkSPjAdvhnffQhag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.67.238.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb689eed-d560-4f12-bb9f-08d88bd40952
x-ms-traffictypediagnostic: VI1PR0701MB6767:
x-microsoft-antispam-prvs: <VI1PR0701MB6767595D29F6A88510AE6E40D0E10@VI1PR0701MB6767.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q4v33oecXCs0T9XDZ8kXmd9JqTLCIyKjUexqLnJcyym9i1+Trm6Lb3zNnYSpqGSJEDtfNTwWrW0PWdgnpi7vXaGVSP5MNIsxFbxoavyFK5ov3v/YiOqRef0/4ip54+kBcavKJbvs0SiY8vXQkfl4hWd9bpdIm43oKkstL8axtk+EN19j+MQ+J6LJU5hRyEPj0Lqvr9mGPVaX+wpa+9bxL1HFwzoLsDlodYcORP/RuINRd0GEclFIhoMZ6e39tPje1i/fuxKyomQOfpTK5LGXc3ESI89OtuvSFcOVWcWpL6U0SkLAHL6Uc8Ovo1JHSZXDeCpX2a6MVPqqLy+z5OR9shi2WD/J7FZ0E/GPEq9RfdrBv8Oe75MfmMKRM8EIf6pR
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB3215.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(6512007)(83380400001)(66446008)(31686004)(71200400001)(110136005)(86362001)(6506007)(54906003)(53546011)(4326008)(5660300002)(8936002)(36756003)(2906002)(478600001)(31696002)(64756008)(26005)(2616005)(6486002)(8676002)(66556008)(76116006)(66476007)(316002)(66574015)(91956017)(66946007)(186003)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: eezZAmExzXar2Kgt/wkGQZjMQ2Gx9SOLhEE5qRN5tKbpHpFFiIhO9GCyzZcUJuUd6fqim/8BDYMhm4ORGqrsRdKCUGy3nlDPeBRwSOMO/qocw9oJXFbj7/8WmnwfTrrD613KLJuoLkmXWR515i2heQTmbYundxB7SskmGJX/7gJMeYC+jpFK8qsWG3IRKLgLs0wRPOSRnZrwQ/GdnhYfVN7A6ss15PwE3NHMl+N3gRIokZQma6Fb0aqTvu7Ws4dJDGBhcfenu4KZzaIYEjie97qUP7ZL7ASCvOOn1Tl8lXXMBUCXAy9AxhuwrQB5TuISHcWsKGfa41nFFSeMS8gG83t/HjNNs5yuPnv6KFbuHcMNui0Wwc6Iykvjk90eTYd5Ba7TXpRC7MwoTXgy9bpPdjat1k1jUiDuWCqpTc39trfOi6EHgGF0GlvW4PrJ/PJMW57ZgDHYudiErhKfiMMaJjRwPwtdxgBMV04QdSnsvn1Whbu1auMT1HkGFsgYE1AeJJLkeCUsNanlNdYtP/KZOTozWqFDN94EjJla4eVym37ZSXaja3h+4raoawH/gLxQbqfOnf9sKotyAKvVaumYPYYZgYX7Kyx9j5DDOyHE7JEvhlGOjrFQhmfhYWhFpIGVVi2zfDjZIHl8on8aKYR+RBTYMv6JNxSLCfr94oMjVjQj+YG7WOvVJR87vJ98EvTvoycuEhlG65IHXIpLxK1P848KWWIUx4Jw3cTSuAt4DG0EfUP5HqRLQ5FWifdWJR+fvYRaswtr8LhRI/b6VaB5yXYZGeQFQ4ptdyXo1iAA5sgmMDYmKwKVaWeiC5LkGeCuA8sTaANMl6X7Q8VffBbdoRsPAQSuPGBLywVJnRtr+0uCylQSdCIOSRJX0oAbgt+ssOUxHM80jaetRtmdeNA7tA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_8f313965c6e78c5f4f049d3cd01ee41eericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB3215.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb689eed-d560-4f12-bb9f-08d88bd40952
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 15:10:07.7700 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PRf5eHZizehOYu6mdEXPD4kIZHAN3Ij5ivgU3yNpRP5kedsHhSlIxrQyAqw7TrM9tMkv7H0Xwriq+5XUfIaGRYMhmt3EVPSyL4p5jTTR9Q4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6767
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/DD8BrPF_4QBA0BPIQh0UQLat0OU>
Subject: Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 15:10:12 -0000

Hi Shumon,

Why won't the same issue apply to the IoT bootstrapping and the SIM card use case you described.  You would likely authenticate the server before revealing the client identity. And that cannot happen with DANE because of lack of initial Internet connectivity. If this is the case, then I fail to understand some of the excitement for use in IoT bootstrapping. Also, I am not sure if verifying DNSSEC signatures sent inside the proposed TLS extension would be simple and lightweight for IoT devices?

--Mohit

On 11/18/20 4:09 PM, Shumon Huque wrote:
On Wed, Nov 18, 2020 at 7:58 AM Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:

Hi Ash and Shumon,

My understanding is that your solution is applicable to any scenario that uses client certificates. Obviously IoT might be one application area for this, but there are many other uses of client authentication with certificates.

Mohit - yes, there are certainly other application use cases and the protocol is general purpose. Some SMTP transport security folks are interested in this to give one example.


I don't have any strong opinions about whether this is useful or not. But it might be good to have a separate focused DANE working group for these drafts if there is strong demand for such a solution. Your presentation also highlighted your intention of defining new RRtype and/or expanding the scope of TLSA. These things (along with DANE light etc.) would require the input of DNS and TLS folks (in addition to the IoT requirements).

Yup, we will certainly need to get their input on this topic. I think I saw a couple folks in the chat suggest resurrecting the DANE wg, which I'm open to, but there was pushback too (I think more detailed discussion on list was deemed necessary first).


Also, I didn't understand how would server authentication work? I probably did not listen to your presentation carefully enough but I suppose you cannot use DANE for server authentication in scenarios where the client device does not yet have Internet connectivity. So how would server authentication work in EAP-TLS/SIM card/IoT bootstrapping scenarios you discussed?

Yeah, the EAP-TLS case is trickier for DANE server authentication. There are possible mechanisms though - the TLS DNSSEC chain extension (which failed to gain consensus in the TLS WG a while back, but which will probably be published through the IETF's independent stream) would provide a way for the TLS server to deliver its DNS authentication chain inside the TLS handshake, obviating the need for the client to perform DNS queries prior to Internet connectivity. There are probably other solutions that could be devised.

Shumon.

v2.23.0 | Report a Bug | By Email