Re: [Suit] Suit manifest with variable recipients
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 21 July 2021 20:23 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5723A27F1 for <suit@ietfa.amsl.com>; Wed, 21 Jul 2021 13:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bkv2jmLYisWX for <suit@ietfa.amsl.com>; Wed, 21 Jul 2021 13:23:04 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6B8D3A27EE for <suit@ietf.org>; Wed, 21 Jul 2021 13:22:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9063838A03 for <suit@ietf.org>; Wed, 21 Jul 2021 16:26:21 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id DVnOvihb7L6J for <suit@ietf.org>; Wed, 21 Jul 2021 16:26:17 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 08335389F3 for <suit@ietf.org>; Wed, 21 Jul 2021 16:26:17 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8FC3454A for <suit@ietf.org>; Wed, 21 Jul 2021 16:22:52 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: suit <suit@ietf.org>
In-Reply-To: <4B4235A6-3965-4FBD-AEA8-E16C900C4A0C@arm.com>
References: <F51C5D05-043E-4F07-9A4C-7044646192E3@arm.com> <27551.1626138598@localhost> <4B4235A6-3965-4FBD-AEA8-E16C900C4A0C@arm.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 21 Jul 2021 16:22:52 -0400
Message-ID: <6855.1626898972@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/Vmi5z-4QjTV6nbnp1DKzTK3Zm1k>
Subject: Re: [Suit] Suit manifest with variable recipients
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2021 20:23:10 -0000
Not sure why I'm explicitely in the CC, reply-all I guess. Brendan Moran <Brendan.Moran@arm.com> wrote: > There is another possibility that I don’t think we’ve discussed. It has > some pros and a really big con. For the sake of completeness, here it > is: We keep the COSE_Encrypt exactly as it is and allow standard > manifest overrides via dependencies. This is good because it means that > only authorised parties can edit the recipients list. This is bad > because it means that the unused recipients structures cannot be > severed. It's a tussle. > However in our situation, an on-path attacker upstream of the Device > Operator gains fine-grained control of which of the Device Operator’s > devices are upgraded. This is scalable and difficult to detect. A > Device Operator would need to communicate with the Firmware Author to > determine why certain devices were not upgraded before the attack was > discovered, giving attackers a window of opportunity. Depending on > implementation details, competency, level of automation, and any other > coincident attacks launched by the threat actor, this window could be > longer or shorter. > I don’t believe that this is inline with our goals, however this > specific threat is not listed in the threat model within > draft-ietf-suit-information-model—evidence that threat models are > living documents, I suppose! Perhaps this threat should be discussed in > draft-ietf-suit-firmware-encryption? I think that such an on-path attacker can also drop the entire update, right? Or such an on-path attacker could selectively suppress the manifest getting to specific devices anyway. The summary is that this is not something new that is enabled by fine-grained control of the encryption. > I think the solution, though less than ideal, is to place some metadata > in the manifest about the COSE_Encrypt within the manifest. In short, > if COSE_Encrypt is external to the manifest, it must be authenticated > by the manifest. If it is altered by an authorised party, that must be > explicit and authenticated as well. I think that this barks up the wrong tree. Let's go back to the architecture (now RFC9019: woohoo!) Isn't the Status Tracker supposed to keep track of what version each device is running, and let it know that there is something new? AFAIK, standardization of the status tracker was not a goal in this round of SUIT. I'm unclear if we this was an ordering/chartering decision, or if it was because we really didn't think we could accomplish this without boiling oceans. RFC9019 mentions that LwM2M already has this functionality, and so maybe we will never ever have a single standard, but maybe it's time to identify what other places we can place the Status Tracker functionality. We have also been discussing SBOM pointers via MUD and/or Remote Attestation. At this time, I think that the manifest has became a bit of a hammer, and we'e actually run out of nail-shaped things. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Suit] Suit manifest with variable recipients Brendan Moran
- Re: [Suit] Suit manifest with variable recipients Michael Richardson
- Re: [Suit] Suit manifest with variable recipients Brendan Moran
- Re: [Suit] Suit manifest with variable recipients Russ Housley
- Re: [Suit] Suit manifest with variable recipients Dick Brooks
- Re: [Suit] Suit manifest with variable recipients Brendan Moran
- Re: [Suit] Suit manifest with variable recipients Michael Richardson
- Re: [Suit] Suit manifest with variable recipients Michael Richardson
- Re: [Suit] Suit manifest with variable recipients Michael Richardson
- Re: [Suit] Suit manifest with variable recipients Brendan Moran
- Re: [Suit] Suit manifest with variable recipients Michael Richardson
- Re: [Suit] Suit manifest with variable recipients Brendan Moran