IETF Logo Mail Archive

Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 10 June 2021 22:22 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287563A1C92 for <suit@ietfa.amsl.com>; Thu, 10 Jun 2021 15:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvu5b8u8fX4J for <suit@ietfa.amsl.com>; Thu, 10 Jun 2021 15:22:23 -0700 (PDT)
Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com [209.85.219.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5C4E3A1C8F for <suit@ietf.org>; Thu, 10 Jun 2021 15:22:23 -0700 (PDT)
Received: by mail-yb1-f180.google.com with SMTP id g38so1481474ybi.12 for <suit@ietf.org>; Thu, 10 Jun 2021 15:22:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZYQFoTwRkM+xXymuzgusRiaAUwpVh7IF0XEK+6QCeNs=; b=TayOgA3JVyxYzyCHdLxS0CFDt+RHLzEpGNQ77quMMhBYMkq6N8MyFl5OzBiKA0CQrm wXQUjdvuulaIm9ELiJvBipfdvriZWU3TEx8CVVYFusBysaaezv0V4gPB7BgBEasT2V5G mzCRrnFVsNowMiv0Z8dBuGLJ5/rcsxAXaAn92oPdynErJdXYnrkugwgZoNZpSROeFXxD JSZT6V/0Kp/ham0I0JHrlRv2ZFUha5bTk02TiNCwNiCEKMVk2eUtTX+73OpFjB9vKHZz 2+Oawj/+NXdD3y8aEnwMlmohI/dFCf8JPH/RIne7UgWjuqdrdjy/Dm8kr/NiYBXN8sbd ryhA==
X-Gm-Message-State: AOAM532dMqIa7LP0uSIkH/I9a7XYb5Nr6firFgwPzpnHxqZBE+mqRfRx YiRxHMsndt9kpaKtKOJzUXaHzm3XXMGtHrbEYmjoqkXkupw=
X-Google-Smtp-Source: ABdhPJx+k2ZxqEolx9BUZaMKcUMNBFpIG9R+KPuiNYqbP/6LaN5ihVwpOFSWl5E/qIV7UGLyJVWzFMpcuDYztyc63nQ=
X-Received: by 2002:a25:850b:: with SMTP id w11mr1406695ybk.518.1623363742674; Thu, 10 Jun 2021 15:22:22 -0700 (PDT)
MIME-Version: 1.0
References: <0f9601d75adf$5856cf50$09046df0$@reliableenergyanalytics.com> <DBBPR08MB59155DB5DBE123F55B25894BFA359@DBBPR08MB5915.eurprd08.prod.outlook.com>
In-Reply-To: <DBBPR08MB59155DB5DBE123F55B25894BFA359@DBBPR08MB5915.eurprd08.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 10 Jun 2021 18:22:12 -0400
Message-ID: <CAMm+Lwg36Y-tpB+XTwYYpC3psCNEj3O33BzrnzzC8gtMjgkD3Q@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "dick@reliableenergyanalytics.com" <dick@reliableenergyanalytics.com>, Brendan Moran <Brendan.Moran@arm.com>, suit <suit@ietf.org>, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="0000000000003931ef05c470d36d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/UqBFAbUq2Pzfn9KKKCdA4u_1XgE>
Subject: Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 22:22:27 -0000

I strongly disagree. Given my history of involvement in the WebPKI, I am
certainly not biased against CAs. My concern is different.

I see multiple concerns:

1) Every software distribution MUST be signed without exception

2) All software executables and data installed on a machine MUST be signed
by the provider.

3) All signatures MUST be under keys that have a trustworthy credential.

The reason I reject (3) is because I insist on (1) and (2). I want every
piece of software to be signed on every machine without any exception
whatsoever. That includes every development build, every open source
project, every script written by the user. And that should apply to every
desktop, laptop, tablet, mobile etc.

Thing is that I can't have the strong signing model I want if I also insist
that every credential be an EV signature. It is one or the other. I choose
everything signed.


For critical infrastructure devices, I suggest the following:

0) Must identify such machines and label them prominently

1) Software must be signed under trustworthy credential

2) Platform must verify signature before executable is launched.

v2.8.7 | Report a Bug | By Email