IETF Logo Mail Archive

Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 11 June 2021 22:50 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4C543A1050 for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 15:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOWhc0ZYalZS for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 15:50:00 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE7B3A104E for <suit@ietf.org>; Fri, 11 Jun 2021 15:49:59 -0700 (PDT)
Received: from dooku.sandelman.ca (desktop4.sandelman.ca [209.87.249.16]) by relay.sandelman.ca (Postfix) with ESMTPS id 35EB61F47B; Fri, 11 Jun 2021 22:49:58 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id A13EB1A02B5; Fri, 11 Jun 2021 18:49:56 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>, suit <suit@ietf.org>
In-reply-to: <CAMm+LwjOttzKEA8=BkLJw1-n8RthEtYwToiUkix8=83c-TnkQw@mail.gmail.com>
References: <0f9601d75adf$5856cf50$09046df0$@reliableenergyanalytics.com> <DBBPR08MB59155DB5DBE123F55B25894BFA359@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAMm+Lwg36Y-tpB+XTwYYpC3psCNEj3O33BzrnzzC8gtMjgkD3Q@mail.gmail.com> <DBBPR08MB5915A4EAB8B59778AD9DCAD9FA349@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAMm+LwjOttzKEA8=BkLJw1-n8RthEtYwToiUkix8=83c-TnkQw@mail.gmail.com>
Comments: In-reply-to Phillip Hallam-Baker <phill@hallambaker.com> message dated "Fri, 11 Jun 2021 14:39:11 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 11 Jun 2021 18:49:56 -0400
Message-ID: <8419.1623451796@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Lz_2Y687VsxQnw_sLAZiESX8FZ8>
Subject: Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 22:50:05 -0000

Phillip Hallam-Baker <phill@hallambaker.com> wrote:
    > Authenticode only signed the software distribution package, most of
    > what has followed has done the same. That is a useful control of course
    > because an installer is an executable that runs on the machine. But it
    > is necessary but not sufficient: Every executable, every piece of
    > installed data should be signed without exception.

I think that there are existing mechanisms to embed signatures in ELF.
There was a lot of discussion, I think, about how the signature was visible
or not visible to regular tools.  Some mechanisms basically hid the signature
at the end of the file, pretending that the file was shorter when treated as
an executable.
Other people wanted it in some other resource record, but then there were
concerns that the signatures would get lost in backups, etc.

So there have been patches to Linux to verify the signatures before
executing.  I think that this has been done on other platforms, and there are
even MCUs that can verify and even decrypt code transparently as it is executable.

Are you thinking at this level?   Always?  Sometimes?

    > am merely saying that they have to define one, they have to show that
    > all the necessary operations are inside it and that everything inside
    > it is sufficiently secure.

I think that there is an additional part: resilience of the whole to failures
of the pieces.   Having one large perimeter is not as good as having many
small ones, except some consideration of economies of scale.

...

    > It is worth pointing out that the reason colonial pipeline was affected
    > so badly was probably that they were sending multiple types of fuel
    > down the same pipe in batches. That game is only going to work if you
    > can absolutely guarantee that you aren't going to put the load of tar
    > into a tank full of top grade aviation fuel. So their problem probably
    > wasn't on their actual operations side itself, the thing they were
    > looking at. They had not understood that the database of what fuel is
    > where was actually critical to operations.

So that was really their problem, they lost their inventory list?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email