Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 11 June 2021 22:42 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65B1F3A0FF1 for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 15:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.5
X-Spam-Level: **
X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7btLzx6ASCqt for <suit@ietfa.amsl.com>; Fri, 11 Jun 2021 15:42:07 -0700 (PDT)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FC343A0FF0 for <suit@ietf.org>; Fri, 11 Jun 2021 15:42:07 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [IPv6:2607:f0b0:f:40::146]) by relay.sandelman.ca (Postfix) with ESMTPS id 4E92C1F47B; Fri, 11 Jun 2021 22:42:03 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id A8A7D1A02B5; Fri, 11 Jun 2021 18:42:01 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>, suit <suit@ietf.org>
In-reply-to: <CAMm+Lwg36Y-tpB+XTwYYpC3psCNEj3O33BzrnzzC8gtMjgkD3Q@mail.gmail.com>
References: <0f9601d75adf$5856cf50$09046df0$@reliableenergyanalytics.com> <DBBPR08MB59155DB5DBE123F55B25894BFA359@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAMm+Lwg36Y-tpB+XTwYYpC3psCNEj3O33BzrnzzC8gtMjgkD3Q@mail.gmail.com>
Comments: In-reply-to Phillip Hallam-Baker <phill@hallambaker.com> message dated "Thu, 10 Jun 2021 18:22:12 -0400."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 11 Jun 2021 18:42:01 -0400
Message-ID: <8260.1623451321@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/ltb645ZRfzIwLswokChvaRxayUA>
Subject: Re: [Suit] Surprising push back on the need for a customer to verify the trust relationship between a software supplier and software signer during digital signature validation on signed code
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 22:42:13 -0000
Phillip Hallam-Baker <phill@hallambaker.com> wrote: > I see multiple concerns: > 1) Every software distribution MUST be signed without exception > 2) All software executables and data installed on a machine MUST be > signed by the provider. > 3) All signatures MUST be under keys that have a trustworthy > credential. > The reason I reject (3) is because I insist on (1) and (2). I want I'm with you here, and I agree with your compromise situation. > For critical infrastructure devices, I suggest the following: > 0) Must identify such machines and label them prominently > 1) Software must be signed under trustworthy credential > 2) Platform must verify signature before executable is launched. So you make a distinction between software executables installed on a machine (above), and "launched" here. I wanted to be sure that this distinction was intended. We have in the past discussed the question of who controls the trust anchor authorized to perform software updates in a given system. That's to be distinguished from who signs the software! One of the limitations in the Android ecosystem is that one has only two choices: trust Google, allow unsigned executables (APKs). An intermediate choice could be, "trust anchor FOO". Trusting more than one gets us into the WebPKI problem of who is authorized for what, and cert transparency, etc. Apple does slightly better in that (I understand) Apple insists that all packages be signed, but allows for some people (developers) to designate certain phones are allowed to trust the local enterprise. This doesn't scale to the general public though. In the industrial IoT space, I think that operators will want to be the ultimate authority as to what code runs where. So the authorized trust anchor in the device will not be the manufacturer, but the operator. The operator will verify the signature(s) from the manufacturer of the software, and then will countersign or resign the MANIFEST with their key. How this will play out in other spaces, I don't know exactly. I expect *Tesla* to sign the code in the brake MCU, not Bosch, even though Bosch made it. That doesn't mean that Bosch didn't sign the code when it was transfered to them. Unfortunately, I don't think the car owner will get to decide. How that will play out when the manufacturer declares EOL, I don't know. (I have a 30yr old VW. But, it's a toy, not transport. I use bike + transit in town) There will be some equipment which, when the manufacturer says EOL, then the device needs to die. There will be other things where this is less important. What can the IETF do? Well, I think that we (SUIT WG) needs to consider how to manage and update authorizations for trust anchors in a standardized way. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Suit] Surprising push back on the need for a cus… Dick Brooks
- Re: [Suit] Surprising push back on the need for a… Hannes Tschofenig
- Re: [Suit] Surprising push back on the need for a… Dick Brooks
- Re: [Suit] Surprising push back on the need for a… Hannes Tschofenig
- Re: [Suit] Surprising push back on the need for a… Dick Brooks
- Re: [Suit] Surprising push back on the need for a… Russ Housley
- Re: [Suit] Surprising push back on the need for a… Phillip Hallam-Baker
- Re: [Suit] Surprising push back on the need for a… Hannes Tschofenig
- Re: [Suit] Surprising push back on the need for a… Dick Brooks
- Re: [Suit] Surprising push back on the need for a… Dick Brooks
- Re: [Suit] Surprising push back on the need for a… Phillip Hallam-Baker
- Re: [Suit] Surprising push back on the need for a… Laurence Lundblade
- Re: [Suit] Surprising push back on the need for a… Michael Richardson
- Re: [Suit] Surprising push back on the need for a… Michael Richardson
- Re: [Suit] Surprising push back on the need for a… Toerless Eckert
- Re: [Suit] Surprising push back on the need for a… Phillip Hallam-Baker
- Re: [Suit] Surprising push back on the need for a… Phillip Hallam-Baker
- Re: [Suit] Surprising push back on the need for a… Dick Brooks