Re: [Secdispatch] [lamps] IDevID considerations document to secdispatch
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 22 July 2020 08:45 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F653A00E4; Wed, 22 Jul 2020 01:45:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Al5c_f17MIN8; Wed, 22 Jul 2020 01:45:29 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80079.outbound.protection.outlook.com [40.107.8.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B25B3A00D4; Wed, 22 Jul 2020 01:45:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BCmMZTEP8j+4QxjWjD/csecS8VqOGjaTPB/oCW1gPaAAyXwewifJu9uUTibdu33K5lmfSpbjJPfl3hjEZ+p8SOPuzpOeOih9Sjyhz+dDAA1ACOnFpbp5kuK40/+jLbIfJ56CHQ/o4y+yL1OpNWDVkYejHrwi6hX4Vf40qciUvA62J0ZwclVFlIbuT/ZvFe5CyX0vGMlRUDYZATjPLt9EarbvFpAJqOvkSwRkOdZpaJZl/b5b9MZZh+mPGLEdvZ1ZeoiSUv8QAQt+NkdW6xkdtq3tNiu4IQzDEQLcy92PaCkg0mSPpzz6h3wUJK1tupbY9y+oTbOExRRzvVKx0Inlmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z2sBVPz4f8QRohXLpBCxqTMOKNED7lmoRF34eQXi3YA=; b=a45c3EArpgYi1KgEjVZ/k6Ix68jwi3mg630h6UJ2LZGcQG47i3HvqbVwUVKCMOOsXUL61hB7ZF9noAlj+OlSHmyhKwn/A5/1PIwmRlVXr9jkESG8YnWgVRz+DqCT3Z1Rl+VN9dOZ2H4lO2lII+rBr79RHyxrPUw7/CXxHHBrXBpeySfrUGUhl62XdWaHSfP4jAha00tlfzS8yCAC7harNJu6EW9UT56dMc79KEcyOhzZbhsn9QzYhwqSfIfxlVE0f0QEvvXmhWT8e3jsk9oO6l2N9tYWhfnJ7Hnk3C1PhRrqH3BpzuJzPxn8tPusr356oQfUIyo+eGd3UjUASQhgYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z2sBVPz4f8QRohXLpBCxqTMOKNED7lmoRF34eQXi3YA=; b=LAMYXqDEZf0yKNKgYwgtyl6KPkvtj4APihiDhW2Y8AlNJXlGN9oKTMiHZ9NxcF85CfJ3N+iA+ISc3uHn9nSvtUkF/+Xe4MPPL8obNjaMCLwssnOrUflU3tLj4pQDl6XwbjvdAuQ7wlWOMy3nEKQWCaC3Dz8m6jybXIy9Km3goUE=
Received: from AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:184::10) by AM0PR10MB3474.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:154::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.20; Wed, 22 Jul 2020 08:45:26 +0000
Received: from AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM ([fe80::288b:3b52:cf90:8fc0]) by AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM ([fe80::288b:3b52:cf90:8fc0%9]) with mapi id 15.20.3195.028; Wed, 22 Jul 2020 08:45:26 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: Tomas Gustavsson <tomas.gustavsson@primekey.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] IDevID considerations document to secdispatch
Thread-Index: AQHWP8N6k88ddaiq9U6Bs/QsBzthBajTsr2AgAV/EICAFWp0gIAAvESAgCOWHwCAAJRy4A==
Date: Wed, 22 Jul 2020 08:45:26 +0000
Message-ID: <AM0PR10MB315388224916907E62839AE1FE790@AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM>
References: <159176190855.9169.7350787463977998504@ietfa.amsl.com> <10463.1591763623@localhost> <13107.1591804306@localhost> <f7cdd360-7ab7-28f6-86b9-9f8c4ae04aaf@primekey.com> <5843.1591897975@localhost> <092308c1-dc44-4989-e3a5-1a248a3c361e@primekey.com> <20595.1593377487@localhost> <841240ae-f610-dcf8-1e29-c73371ae976b@primekey.com> <22303.1595374300@localhost>
In-Reply-To: <22303.1595374300@localhost>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=6f010863-e5e4-4555-aa03-0000e8b22546; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-07-22T08:22:59Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
x-document-confidentiality: NotClassified
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.158]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9db08c61-6f89-4b28-9ddb-08d82e1b94a3
x-ms-traffictypediagnostic: AM0PR10MB3474:
x-microsoft-antispam-prvs: <AM0PR10MB347426F30639CE58A28A2980FE790@AM0PR10MB3474.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GYKzc1kzwhC4iArveau3KDtaiXiBTliitsyI8LHETrHN+eHX+Ufhuosq++DxKOvr++AzT2A1ia8Wgg2zzVN7eyJvEHt1AYz9GOFPkwGoF24sRpxqCAOzaVuKUjf328sk+cErgIwGRkKKGO4PgKQa+twTeWIHryLvAZx8Cj5XC//uTkb3nEr2ORTTFacEGivxI1CMvjMeZhcIUvzwHA0ZYBdemND9Mb0tv16HjDIjDm+6TAjMl/O8LTc8l7xczrJeBd4fjqA0/FxKtyE3zzJzWRGjAanrh5cuRVN1s8WGhTY5pYqlYpUyINkXYDh7oeeC5XI+u8grjskS0sTVFtNUrw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(376002)(366004)(346002)(136003)(39860400002)(26005)(5660300002)(55236004)(186003)(54906003)(33656002)(7696005)(8676002)(83380400001)(316002)(66446008)(66556008)(55016002)(52536014)(71200400001)(76116006)(53546011)(6506007)(4326008)(8936002)(2906002)(66476007)(66946007)(478600001)(86362001)(9686003)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: wAm0HRW3iilu7AfKcpAQ5MUSbXX9tiEtI9hVL1TAZR6e7lOEihCycN2U/itqHRDflsIUioyJTY+42N8bQIt81sd+My78ma1DdAX5baVZ9wMtyAndpb7utanPMiBLnKXmLtQplQXKMNklI4nXpDoUUCBD6lGe0kfYQ7ni4IOUpVnp5ZjrSQYNof67ESucrYAvJjxT9ozJzlN73jyqBlP7+fmqZ1fnb3kj8pM/twqLJgCwFTik2jw1K765JSC7Scu/1ca4FyJlJ0crIitee+qbkh//D0sSgPNSoYUsM/5AdmbsIUvr5yJ7OGU7gMBChv6Jd/rX6svW4Wl58zDrEuG8uMBspmhDOKt434UWIGv2sc06nRwnILwXGp682mW5PkXs+CZSQ4T4aCZ/QAYkwiB7IYrhBcQcsg3s7wGD2UbTAXNKLx42qP2INVxGwRDONtiM6XOVMG6j5JEDrWnirfmBCO4PawfnZFNxje5U2e5Z+RXtI8sjVYPXW7JUeDWxN464
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9db08c61-6f89-4b28-9ddb-08d82e1b94a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 08:45:26.5222 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1zexfqWeMvoLGwP/A96LRj67MzQA8buFZDaC5JlTxyMbImhh43+j6nghLlz0Jd9QILhsp6KTSEOpec1ApO/FQW5WHBcC3tJfEXzx4IcGSpk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB3474
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/E7dYKZOzGP80z0khOJZmv14nVm4>
Subject: Re: [Secdispatch] [lamps] IDevID considerations document to secdispatch
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 08:45:31 -0000
> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson > > Tomas Gustavsson <tomas.gustavsson@primekey.com> wrote: > > On 2020-06-28 22:51, Michael Richardson wrote: > >> > >> Thank you again for reviewing the document! > >> > >> I know that primekey is involved in creating Birth Certificates for > >> many product lines. (Your website's term, not mine, but a good > >> one) > > > It wasn't my (ours) terminology unfortunately :-). We found it > > elsewhere. I don't remember where "birth" came from. 3GPP 33.310 have > > the same concept, but calling Vendor certificate. I think birth > > certificate is a little better, as it's more generic than specifying a > > vendor relationship. > > I do like the birth concept, and I am thinking if changing the document name to > include it would make sense. > Perhaps someone with expertise in attachment parenting can provide some > interesting words about how trust anchors are installed. > I use the image of the "birth certificate" to better explain the attributes of an IDevID certificate. - Issued at manufacturing time (in Germany the birth certificate is a simple sheet stamped and signed by the local register office) - The enrollment process requires some organizational/physical security, as there is nothing to derive trust from at that point in time (in Germany the father or mother have to request the birth certificate personally. They need to define the name of the child in front of the register officer and need present a conformation letter from the hospital or midwife about the date of birth) - It lasts as long as the device is used (in Germany a birth certificate has no validity and it is difficult to get a new one, if you lost yours) - It is required for initial authentication to request an operational certificate (in Germany the birth certificate is required if you request a national ID card or a passport) - It should not be used for day-to-day operational tasks (you would not use the birth certificate to identify yourself other than to the register office. Only rarely it is requested, e.g., when becoming a governmental or public official) > >> I wonder if you can comment on which of the three methods you > >> support? Do you have any suggestions on names for the three > >> methods? To me, just getting three good names is 90% of the value > >> of this document. > > > We support: > > 2.1.1. On-device private key generation > > Standard CSR-submitted-to-CA process > > I have named this: > a) _device-generated_ / _mechanically-transfered_ > b) _device-generated_ / _network-transfered_ > > I know that you are blown away by my imagination here. > Perhaps someone can feed this through a mechanical translator, run it > English->German->Mandarin->Swahili->English, and see what comes back. > > I think that it's useful for the entity that needs to examine the risk for the > process to distinguish the two transfer methods. > > > > 2.1.2. Off-device private key generation > > Typically CA-generates-keystore process. Some protocols, i.e. > > CMP/RFC4210 have standard support for encrypting the private key sent > > back to the client > > I have named this: > a) _factory-generated_ / _mechanically-transfered_ > Like a serial console connection, or a JTAG flash writer. > > for b) _factory-generated_/ _network-transfered_ > > yes, but what key would you use? :-) > The device has nothing.... > So I think that it really has to always be used in the factory with a physically > secure network connection. I personally would prefer to say '_infrastructure-generated_' than '_factory-generated_', because the generation on the device will most likely also take place in the factory. > > > 2.1.3. Key setup based on 256-bit secret seed > > We haven't seen this. Albeit, it's not so much related to the PKI > > part, so it can still be supported/used if the certificate issuance is > > done using a CSR process to the CA. > > I have named this: device/factory-co-generated Same here: 'device/infrastructure-co-generated'. - Hendrik
- [Secdispatch] IDevID considerations document to s… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Brockhaus, Hendrik
- Re: [Secdispatch] [lamps] IDevID considerations d… Tomas Gustavsson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Tomas Gustavsson
- Re: [Secdispatch] [lamps] IDevID considerations d… Brockhaus, Hendrik
- Re: [Secdispatch] [lamps] IDevID considerations d… Brockhaus, Hendrik
- Re: [Secdispatch] [lamps] IDevID considerations d… Brockhaus, Hendrik
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Michael Richardson
- Re: [Secdispatch] [lamps] IDevID considerations d… Phillip Hallam-Baker