IETF Logo Mail Archive

Re: [Suit] Suit manifest with variable recipients

Brendan Moran <Brendan.Moran@arm.com> Fri, 23 July 2021 06:49 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5343A00B0 for <suit@ietfa.amsl.com>; Thu, 22 Jul 2021 23:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=ERiD7ExA; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=ERiD7ExA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iMJ8OkrW0jX for <suit@ietfa.amsl.com>; Thu, 22 Jul 2021 23:49:06 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2060a.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::60a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D093A00AE for <suit@ietf.org>; Thu, 22 Jul 2021 23:49:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S0OFadd30OwlF1mNrKII6fKdAY7MkEsFZn4LasUolUU=; b=ERiD7ExAFrp+C94CQp5K/vU5eFqSmQ1MgU7/xDcnvQFIPFZbnfgFCM/5+Q9gfWeBG8fN/oBnyKroiE4xfmEVrEmj+/OfqUtTZGoMDlPwykOd5cBoQh/S3Ij1D5V/Oml59thjIczfZ2kk8lVZ9jtR3imf/JpmX2QcR4R6nhPqQ64=
Received: from DB6PR0601CA0013.eurprd06.prod.outlook.com (2603:10a6:4:7b::23) by PA4PR08MB6077.eurprd08.prod.outlook.com (2603:10a6:102:e7::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.24; Fri, 23 Jul 2021 06:48:52 +0000
Received: from DB5EUR03FT040.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:7b:cafe::b1) by DB6PR0601CA0013.outlook.office365.com (2603:10a6:4:7b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26 via Frontend Transport; Fri, 23 Jul 2021 06:48:52 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT040.mail.protection.outlook.com (10.152.20.243) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Fri, 23 Jul 2021 06:48:52 +0000
Received: ("Tessian outbound 57330d0f8f60:v99"); Fri, 23 Jul 2021 06:48:52 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: d5ee318dac8cf508
X-CR-MTA-TID: 64aa7808
Received: from ac292d252947.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id DD1A3455-D663-4EFC-843D-FB0FD7E7DC61.1; Fri, 23 Jul 2021 06:48:46 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ac292d252947.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 23 Jul 2021 06:48:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KOES6nX9D00HU11gEe/j5RHEgCSbnYOA8jGZd0FdUtSdFVsXpQxOu5EDjlNctLo7JiAZfq7tmba2YCk3kd0ipIxOX9i4CqLsP6UAl+AnJQ7ewLGGJvUjWXIcdLWP0Fk/TNrzIQj+xSfySMTnyym7ild84NpwpUdobSrFQv95gyk1kyUZ2z4YwBgBYOfuqus3gzXB6UrYtiCmH+gnpkj8jQTt2HfL3JMTkVQx6efrX1Xr3mMkeHFOVOY2b66gFtBzZ2ElElyzr+XDMwuy5t+hz8zXtXg+bR7kXyKqpL0HfioXi93nRJ6yiO8M3YZ3/uoRtQcHoWqyCK38KpX2rPD+Hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S0OFadd30OwlF1mNrKII6fKdAY7MkEsFZn4LasUolUU=; b=Qh81y2O4RGaLe/+ixkmoLYVjcWTg0ZAY1Pl5KjWxWm80XAEIgeaBu636nyfH7fqurrhRmRrMzoBDbGzJtE65bHxDf4ORXKBkc2pGBvWRYDdsK5beA/cbA+yUUixmhys+BcSGEiZVEPN0az4QtOoXWartL/btMyk2jmt4bOfpP0c+1XmJzq/T+I87JxL9zUzmwkLJAVuqcGm1pFR264B5vR24VtsswrtefXMKFeYnv3Bjx3EBVkYh5l11Rir7jxmat17df5Rzxw+6X0u9qO0+l47cYp3MSu+Dh/tRcMQgKudkOZHZp71/FLISQsMM8cA+c4Kx/KF1joV3bIdJbXFmBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S0OFadd30OwlF1mNrKII6fKdAY7MkEsFZn4LasUolUU=; b=ERiD7ExAFrp+C94CQp5K/vU5eFqSmQ1MgU7/xDcnvQFIPFZbnfgFCM/5+Q9gfWeBG8fN/oBnyKroiE4xfmEVrEmj+/OfqUtTZGoMDlPwykOd5cBoQh/S3Ij1D5V/Oml59thjIczfZ2kk8lVZ9jtR3imf/JpmX2QcR4R6nhPqQ64=
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com (2603:10a6:10:1ae::11) by DB8PR08MB4185.eurprd08.prod.outlook.com (2603:10a6:10:aa::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24; Fri, 23 Jul 2021 06:48:44 +0000
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::f4d7:fc24:6a91:25a4]) by DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::f4d7:fc24:6a91:25a4%9]) with mapi id 15.20.4352.029; Fri, 23 Jul 2021 06:48:44 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: suit <suit@ietf.org>
Thread-Topic: [Suit] Suit manifest with variable recipients
Thread-Index: AQHXd1zMssEUvRyoaECAi77KD/QJ+KtAGN4AgAuUEQCAAkC0AIABP0sAgABWugCAAKssgA==
Date: Fri, 23 Jul 2021 06:48:43 +0000
Message-ID: <BD547777-B13D-423C-838D-44EFE66C98DD@arm.com>
References: <F51C5D05-043E-4F07-9A4C-7044646192E3@arm.com> <27551.1626138598@localhost> <4B4235A6-3965-4FBD-AEA8-E16C900C4A0C@arm.com> <6855.1626898972@localhost> <6BAA5E0E-7100-4418-8AAC-7A9420491D52@arm.com> <570912.1626986164@dooku>
In-Reply-To: <570912.1626986164@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 9e107bdd-2e2a-4411-4332-08d94da5ef2f
x-ms-traffictypediagnostic: DB8PR08MB4185:|PA4PR08MB6077:
X-Microsoft-Antispam-PRVS: <PA4PR08MB607754A889F648392A1D85D1EAE59@PA4PR08MB6077.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: vEcYbnjBzJuWV07K2iPOFX6eFALLzgSldhGdrx7Cb/5JdxjpQhcrp5MLyk9tnxgAx/WBFMSjNCVYWzY8F8V3pxlHUzzxzB+8kM5Ubw5otFSU5tMF8pr6Pdrbk+us6Ee0Rb6u2+/CsQS8cQ49fm3F0yZ2E2lMQEe/ytqhNV/jMxnn24Y6lYt36BWiEboBaoEcJVfjzXZoBwG2movAlsR+55ne5DrE82EoLTVeEwm8gqejppBaqovgudbb2/kfUDYQ7FTZyTQRdOXcZva2wNE2tw+FnOSgDiMdjR5yJq/XE+LghIYBQQ0mpDDxh9KOlD4UXJWaqeT3OhMOQJ8zI2W5m4YJuWmGFROCKQjpQMDmpsp/Fb1Q5HZER0gCpsn/sGYVGhKxsLmC7qI6UXDTkOeWwMAQwIOQ9duXNM1SlI+DMrdHsJslAxDByETKMCyQA7uCr2fPjp++6Ks9AdxZQXr9otzddR5Dfcxm1ACXRs2G8HUpAYtkk5jVS/OVhOJ9B4sPJGSYzF9z8UmogeFfdO/coXTGBGeUCpXI0iZu7Ef9PWfXCQSKRtAmhzdlvjT6X6cMMcru8NcFFRkJVLXxlDooWN1o9WGZVmUO3/gAE8a0crr3cCIXD3FXPKbiUPCqaCcACAow9S9ckLpzQ7jq6fB7luPSmizxHpj0D/Oo43I3Q4+NtHXtXvO/LdW0x7QEHPr+lfg/3SVrsiWdZkMxbYKTNsxRpK/kBKliYKZqoYg4dlk=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5576.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66446008)(6512007)(6486002)(8676002)(8936002)(71200400001)(38100700002)(122000001)(186003)(64756008)(66946007)(66476007)(66556008)(26005)(76116006)(91956017)(53546011)(6506007)(83380400001)(508600001)(2616005)(2906002)(36756003)(5660300002)(86362001)(33656002)(4326008)(316002)(38070700004)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: e4QqqjAEqqsgF50LDXSqwnWVyzIlcR4xOMyy6R3Mfecl1NBmc8r/6Lb3Z9HaN6Y6/3hlkd7oz91uXgDxYrAxk5rrBxPZlwP2lbMDiR+BHSK1O3V//QXO0H+Jd/DUmXHtJlB4coVzhFHRJ/hUd4tRQLf2bzOHjj7ewrOZjPGvwWjT2Z2jk/0lsMPmhvXNpkMrs9lGfTXhyYmocoHaKK61L1jKfn6T1RBZ2CSSmgob2iduj5HQgZvSmXYlYEvd3DR/fbinlC/I/0iixTkDUTG7r714G329c2I763aJfUJ7k444RZrpX3j0vT1yINN43HrqA2BMKIk/bdrIuWgE3HWk+Eobvgt18N9EHdbTRnkcm0pNHD5P6YOsEgV+7SMEwBDxSj3nToNAwcwspA9XiOfj6HJm82BKegnPqXhu0T2P7zTe9lYhZNSJ5Yl1gJeFPClQNZygpcoiJKBWZ5Gd4jJTYPu9UqbolpNgkipAYOZSMwRJPj73mZDw0MqW4FgoENOLXTgGCiIaONQI351BmlMnkVDET1f3YbAsAwRDK9U7bYhjJCs+rwmJP11ojoHcrzH35Gku6Yb5HWiHIKJ2b+w7wZpD5pylYJnwycOAlDBw46edJCWgNKE30RWMfne3BHzucxBaNH0lXKcxrvSjg25y+XCZgYr0NPg7KBCcVz2ga99vvS7cthwMA7bkBp0vDw4dyOiDZ38xWjLUjH9n6ACWBmR9okwPCFkvRIfj+zu4xd85FlGxlLWdmeyotmZaSxZK8Lzm0UhQ6yc/ZS1PULWxbmsCk90XLQv/hESVCA8LHpuj2Y/Iu0HKLxozzIeaCvn7GChjKBnvDv5WO9OyfEE3rYh7x2yTP2h/gwUj0/YKqO5IK8Z18RvcpbZM8B2r1kuip2VRUSEoO6XCtlKG2g8Ao3lcVCu2GheBKd0pRaNPg8HTU7eLQ8pPLmQBlqPrMIES3CJf2lZiCBWQqlTZybqPFKouZ0YGF3/L8ca2j5dKuLzTlR4g0BSIbfCvSwkR8wEK0Q4dWoJ37vSL5Pn/nhOVX3vJJFtcBUxGm4OWlMzkHfXlQGMv41EbOfOm7QSFEqrpWdQtYaOLub1Fq90U8T0XE3MykDYQ3+q/O1bYhrpQhDipfMaRH7/euffhrSKkd520Waw+oqS+1tBDuDEjNEwo+3XtJgnGyamW16EvtwX16HzGz1Mn6lAozYnpzYUdLxrqhGBe4p2UmchO5ZtzPQSRVvZBW/52+DohsEpYLi9W1AM3kJVdlN16nen5OEW6l/lyLlo/ZHHdDBAdsYJ5IsxoEGZ/eSlSwnzZCppE09YBv5hvpKY1bkI4hunNloASREPA
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <16F4D737520DE4418095C5B5BCF4E6FE@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4185
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT040.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: e4846c2f-02dc-4d27-6527-08d94da5e9ff
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ygoNmBsFygiMNVLNu6x2w2GtCxLXZrU18/0+RCN2SktTL3qPFss+0rJVugL0x9J5ldEex6v7n4RtBv80js90/2OapBf7njL0vcCN5IGB6kakie1vqFZNCAjwUms4kSaM6Gah9i/s+tik6Ff2TEQwgAtkzvvDXp0qi4FSyt9+gwFUB0cakrlkmSTR2djt9muKXmsRdX2xEtHp/dAl8l58BHAC2u3hiJIwVGBxr0lNSjr5UQHIARv8+ZQsiPRi9xVYhhYAvyLd1ShtMyizS8Gmqs9XXUnhdNcFTzt/l1bZr9T4hf989sg5JZbk77jYlYt4e3MKjD+nwhi54pJInxgBWXk+8EnfG7ttbBwSuWv2GsoPhtp6CRjQO6O0yGgTjgL+qbO40WG5RJ0fSiFhNoNT0RiD7/Y+zy+URksWVtiel3p3Nrxdi+yzSHUvrWtygBehEZKXG8JaQ0OXITYFa5/ZKxAS0X7IR3T3ppQ8LU9Ccl6dKm/JU4kR83xfmWCVNuS4ip9jPx6YCXYFWGrLwoU6hVdXwguArJn5mxLUwdX39LQ2bG8SBapgu5gibDgc1mGQt3F188Vj1Z0OwQz+w2raSbRmTGTlEBhD1XKd1Hzz9fTq3UgsHUXa6EopKMinChL5lRDkTxQiZYGBn2cC5+ENbwnFrzZPEX/0HuoRVNpvCb0X3vahg50dfh6rRrlgJjTmFkoIuNmfmZd0xFsKomqFyw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(39850400004)(376002)(396003)(136003)(346002)(46966006)(36840700001)(2906002)(82310400003)(36860700001)(86362001)(8676002)(81166007)(6486002)(316002)(53546011)(26005)(6512007)(5660300002)(2616005)(6506007)(83380400001)(70206006)(4326008)(186003)(70586007)(47076005)(82740400003)(356005)(478600001)(8936002)(36756003)(33656002)(6862004)(336012); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jul 2021 06:48:52.7360 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e107bdd-2e2a-4411-4332-08d94da5ef2f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT040.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR08MB6077
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/kQ7d0KYM52Eh7iMPlw9rm8WQSQg>
Subject: Re: [Suit] Suit manifest with variable recipients
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 06:49:11 -0000


> On 22 Jul 2021, at 21:36, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>> 1: The threat described above: An on-path attacker upstream of the
>> status tracker suppresses a device. This is different from existing
>> SUIT DoS threats because of the targeting of single devices from
>> outside a network. To be clear, this is not simply a DoS; it is an
>> Elevation of Privilege (unprivileged actor decides which devices are
>> updated) AND a Repudiation threat (Not possible to know who chose which
>> devices received updates). The status tracker CAN inform the device of
>> the new update, but the device appears not to have been authorised by
>> the owner of the firmware (via the Content Encryption Key)
>
> Let's say that it's not malicious.
> Let's say that upstream provider noticed that you didn't renew support on
> that device, so they removed the access.

Yes, that’s explicitly called out; it's a recognised use case that I detailed previously. The point is that it would be indistinguishable from an attacker modifying—at rest or in transit—the list of recipients. This is the Repudiation threat. This is not acceptable. There needs to be at-rest protection for the recipient list.

> Shouldn't the Status-Tracker still notice that the device hasn't got the
> right firmware?

Yes, but it can’t tell the difference between a modification by an up-stream provider and by an attacker. This is an open Repudiation threat.

I don’t see why it’s controversial to sign the recipient list—especially if that signature is NOT delivered to constrained nodes.

Brendan
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email