Re: [Suit] How are firmware and firmware versions expressed in manifest?

Dick Brooks <dick@reliableenergyanalytics.com> Fri, 05 June 2020 17:41 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645493A0C63 for <suit@ietfa.amsl.com>; Fri, 5 Jun 2020 10:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KfGhzGNkHQY5 for <suit@ietfa.amsl.com>; Fri, 5 Jun 2020 10:41:29 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6173E3A0C0B for <suit@ietf.org>; Fri, 5 Jun 2020 10:41:29 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B8C8B5C01EF; Fri, 5 Jun 2020 13:41:28 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 05 Jun 2020 13:41:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xHgM2sQjZYPfMhol2hUhjt1xNFnMWbTYVmcZatkqy Os=; b=MV5U2rP8Mf9J4E3X3RRg6QJQ5CazZtJ10rAnv+Udw+Xr2rLMOe/4FdDaT PpEnRg8Nw4BjLD19Axozwsd5InydpQv8r8u9RMqVdoQkSwHF/MBHjm3Vz7s4y9XQ monb32TnLt9n1hsGUNtJ6PI8xUtM/GPMyRQBjcUU5Dsm6Bt5XyC/pLxLRFBiUGSA 0WYss0c260zyzZuldgTJe/WfL0q6wpGTlkB8ZYw5a75pUtuu0bqyqZHbqNv9TYy3 DDY0Y2IVOvcIkPX+UbYEQeYD1VmhKJzl5zHYCD2Ps7Tc+5vvJ8EMvft5vGaAyfrQ 0K29HuKHJgRUi6oAYa12j0w76MqjQ==
X-ME-Sender: <xms:yIPaXjQLDsVSFgZB3Fl5kcZetJhzkAJ2cX87IUk1pwQYQ2iyG9ZVWw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudegfedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfhfjgfuffhokfggtgfgofhtsehtjeertddvtddvnecuhfhrohhmpedf ffhitghkuceurhhoohhkshdfuceoughitghksehrvghlihgrsghlvggvnhgvrhhghigrnh grlhihthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpedvjeduieeghedutdekvdet hfdukeekheelieeggffgvdfgjeelkeefgfelgeefleenucffohhmrghinheprhgvlhhirg gslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhenucfkphepvdduiedrudelfedr udegvddrvddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepughitghksehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm
X-ME-Proxy: <xmx:yIPaXkyZ8TgVhS-U62KnaZz8NoEaeybh5AN1_5ut-OS-X-o8B7Z11w> <xmx:yIPaXo3lCIA-wONzOvdk8qAOyZcmvjirFYpbX6elBSlOEN33r4BEKQ> <xmx:yIPaXjDX5aqcXYVONwTuy4tHG-cxz33L6lud8Spb8kxXY28d1gRQJw> <xmx:yIPaXoaYjs3PmfkJKRu0WbQ6UcCF6Uaxdw_OlyWeU3vw8gSiayfEnw>
Received: from farpoint (unknown [216.193.142.22]) by mail.messagingengine.com (Postfix) with ESMTPA id CA2D93280063; Fri, 5 Jun 2020 13:41:27 -0400 (EDT)
From: "Dick Brooks" <dick@reliableenergyanalytics.com>
To: "'Michael Richardson'" <mcr+ietf@sandelman.ca>
Cc: "'Hannes Tschofenig'" <Hannes.Tschofenig@arm.com>, <suit@ietf.org>, "'Saad EL JAOUHARI'" <saadeljaou@gmail.com>, "'Eliot Lear'" <lear@cisco.com>, "'Henk Birkholz'" <henk.birkholz@sit.fraunhofer.de>
References: <AM0PR08MB371631B7C1E6B50DCA29049AFA880@AM0PR08MB3716.eurprd08.prod.outlook.com> <8b6d01d639d0$62614150$2723c3f0$@reliableenergyanalytics.com> <AM0PR08MB37166AD36B5AA36EA7D7CA9BFA890@AM0PR08MB3716.eurprd08.prod.outlook.com> <20437.1591317129@localhost> <1076601d63b3a$d53f5d90$7fbe18b0$@reliableenergyanalytics.com> <11051.1591378588@localhost>
In-Reply-To: <11051.1591378588@localhost>
Date: Fri, 5 Jun 2020 13:41:18 -0400
Organization: Reliable Energy Analytics
Message-ID: <11c4101d63b60$8a2136a0$9e63a3e0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEpJGg3Q76y3b59AZfDOO6eGr7fRAJUo0s2Am+d4lkB06Pk1ADWaYOUAe4xceOp2ZN+0A==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Rsl0_5T6prCzIm2Y4PJFBZJK_Wc>
Subject: Re: [Suit] How are firmware and firmware versions expressed in manifest?
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 17:41:38 -0000

Thank you, Michael. I need to think through this a bit more.

Thanks to all for your insights.

Thanks,

Dick Brooks

Never trust software, always verify and report! T
http://www.reliableenergyanalytics.com
Email: dick@reliableenergyanalytics.com
Tel: +1 978-696-1788

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Friday, June 05, 2020 1:36 PM
To: Dick Brooks <dick@reliableenergyanalytics.com>
Cc: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>om>; suit@ietf.org; 'Saad EL
JAOUHARI' <saadeljaou@gmail.com>om>; 'Eliot Lear' <lear@cisco.com>om>; 'Henk
Birkholz' <henk.birkholz@sit.fraunhofer.de>
Subject: Re: [Suit] How are firmware and firmware versions expressed in
manifest?


Dick Brooks <dick@reliableenergyanalytics.com> wrote:
    > Thanks, Michael Richardson. I'm uncertain that MUD has exactly what
I'm
    > looking for to meet NERC CIP-010-3 R1, Part 1.6 expectations, after a
    > cursory look at the standard. I don't see where the MUD process would
    > support deep introspection and corroborating evidence within a risk
    > assessment control prior to deployment, which is what I need for NERC
    > CIP-010-3.

It does not offer any of those things.

It offers an attribute/value mechanism signed by the manufacturer, possibly
specific to a given firmware revision, in which you can put a pointer to
some kind of SBOM that would provide you the right information.

We can also do this from the SUIT Manifest, but I suspect that the extra
layer of indirection will benefit the ecosystems.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works  -=
IPv6 IoT consulting =-