Re: [lamps] IDevID considerations document to secdispatch
Tomas Gustavsson <tomas.gustavsson@primekey.com> Mon, 15 June 2020 05:49 UTC
Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89713A09D5 for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 22:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=f1kVWx6K; dkim=pass (1024-bit key) header.d=primekey.com header.b=f1kVWx6K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-SFxlkAch8J for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 22:49:03 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FCA33A09D4 for <spasm@ietf.org>; Sun, 14 Jun 2020 22:49:02 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id D44F86AA0084 for <spasm@ietf.org>; Mon, 15 Jun 2020 07:48:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1592200123; bh=G9QSfgDZoTKPzB4JurjIzq8mg56loNFR25Xszma796A=; h=Subject:To:References:From:Date:In-Reply-To:From; b=f1kVWx6KHJntvhaKEwn3mlyEZPmDeYX0yyRU4YTSXitcSGjCgY2nhJTL4N949hKTP SVKekKzOTQlZr4lG2gCZMrxewxmArq2+gUS5r1zXI2JKMYT6hJP9BjypnM3gGWCL9N CNisbtWGyVcEdr8y1Zhzyy/Cnvkag3aBJDyT4LBg=
Received: from [10.11.0.4] (gatekeeper.primekey.se [84.55.121.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id B3CA26AA006F for <spasm@ietf.org>; Mon, 15 Jun 2020 07:48:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1592200123; bh=G9QSfgDZoTKPzB4JurjIzq8mg56loNFR25Xszma796A=; h=Subject:To:References:From:Date:In-Reply-To:From; b=f1kVWx6KHJntvhaKEwn3mlyEZPmDeYX0yyRU4YTSXitcSGjCgY2nhJTL4N949hKTP SVKekKzOTQlZr4lG2gCZMrxewxmArq2+gUS5r1zXI2JKMYT6hJP9BjypnM3gGWCL9N CNisbtWGyVcEdr8y1Zhzyy/Cnvkag3aBJDyT4LBg=
To: spasm@ietf.org
References: <159176190855.9169.7350787463977998504@ietfa.amsl.com> <10463.1591763623@localhost> <13107.1591804306@localhost> <f7cdd360-7ab7-28f6-86b9-9f8c4ae04aaf@primekey.com> <5843.1591897975@localhost>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= xsBNBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAHNMFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPsLA dwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5zsBNBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAHCwF8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <092308c1-dc44-4989-e3a5-1a248a3c361e@primekey.com>
Date: Mon, 15 Jun 2020 07:48:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <5843.1591897975@localhost>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xd08Ovkc14IhWVeYsCXrfeKWU0g>
Subject: Re: [lamps] IDevID considerations document to secdispatch
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 05:49:06 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2020-06-11 19:52, Michael Richardson wrote: > > Tomas Gustavsson <tomas.gustavsson@primekey.com> wrote: >> The notion of serialNumber in the document, for me, reads as it's >> not clear what is the certificate serial number (9-19 bytes in >> your document) and the device serial number. There don't have to >> be the same. What I have seen commonly used is that the subjectDN >> field is used to carry the device serial number, while the >> certificate serial number is random, and only used to uniquely >> identify the certificate in the PKI (issuer/serial). > > Your assumption is entirely correct. I wish that certificates > hadn't used "serial Number" in it's terminology, as it's really > "certificate Identifier", and we have learnt the hard way that it > should not be sequential. > >> In such a case I would assume that the manufacturing execution >> system (MES) and it's database controls the device serial number, >> while the PKI controls the certificate serial number, and there >> does not have to be any synchronization between these two. > > Agreed. Do I say something different here? I would love to clarify > things. This section confused me at first read: - ----- In all cases the serialNumber embedded in the certificate must be unique across all products produced by the manufacturer. This suggests some amount of structure to the serialNumber, such that different intermediate CAs do not need to coordinate when issuing certificates - ----- At first read I thought about certificate serial number, but now realize it's the device serial number that is meant. I think that section can be clarified somewhat. Some additional nitpicking... I think this section is missing an 's'? - ----- The intermediate CA will have a private key, likely kept online, which is used to sign each generated IDevID. Once the IDevID are created, the private key is no longer needed and can either be destroyed, or taken offline. - ----- In the line preceding this section it talks about "some number of IDevIDs". Then that the CAs private key can be destroyed after generating that number if IDevIDs. Hence, just ad an s: "Once the IDevID are created, the private key is no longer needed and can either be destroyed, or taken offline." - -> "Once the IDevIDs are created, the private key is no longer needed and can either be destroyed, or taken offline." Regards, Tomas -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEWhJUWO1gQBfiUtymYm3EmwBD/kAFAl7nC8gACgkQYm3EmwBD /kCVAQgAw1vi8QdbAapwi60XQsStaRK1Ap8sNtkfMpyq7J4E45VREVLoazhKnqlX w5JxuM5ViHPgekNBnIk1qj3hN5XjPEFxZGtoy8Dx1iJh6w0pu8jbK5p/LKBWX71U H0f1FXQ6e2NGmfSviWR4G76ikapI4bfq05SlIrWP29+b/GPaqUZPyX5g0Uf/UANu 4cWAhnOH6DlSEcHolMJzc7Zi61bjIkY1XXd25AZFiu1/uer0zhxZV/kwuj69ELTd OTKOrprmOHVtcOC3PapIK0or4c6EusJSBdY3mpo4OibjKKiJsEhQUFqAnj+osg3Q P7rH5eYNul83MAb0jlAZk88oc3Z2HA== =NCZB -----END PGP SIGNATURE-----
- [lamps] IDevID considerations document to secdisp… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Tomas Gustavsson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Tomas Gustavsson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Brockhaus, Hendrik
- Re: [lamps] IDevID considerations document to sec… Tomas Gustavsson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Tomas Gustavsson
- Re: [lamps] IDevID considerations document to sec… Brockhaus, Hendrik
- Re: [lamps] IDevID considerations document to sec… Brockhaus, Hendrik
- Re: [lamps] IDevID considerations document to sec… Brockhaus, Hendrik
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Tomas Gustavsson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Phillip Hallam-Baker
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Michael Richardson
- Re: [lamps] IDevID considerations document to sec… Phillip Hallam-Baker