IETF Logo Mail Archive

Re: [TLS] bootstrapping of constrained devices

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 21 March 2014 15:00 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E98591A09B0 for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 08:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_15=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LAZiJYQMP-3q for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 08:00:05 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 8C19B1A09A8 for <tls@ietf.org>; Fri, 21 Mar 2014 08:00:05 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id cc10so590939wib.2 for <tls@ietf.org>; Fri, 21 Mar 2014 07:59:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=8WIZZNKxmjg5BIPtnDKkKjhYw2YJtdBnkz1UEWeQ8A0=; b=cKRhhUqAP7F7eRtn4cCVz9TaaVCfG0AWMHOb3bBjNYKgfvAHuLvcitD2HQklO19JSd DvfOODJihDr2jYmL6ZLruL3irYX/PZYxxB/xE3oqN/ZkJ0dABTILM6D/wkBSWE3+1x2a n1O+4Jx/UNjNh9I1ukGbeXB1WCZ6v/pLLGjqvQDPVApjZUm5RH8/9XvE+SykRFVrbb7c MnPSmhrW5vyg6UT51ajtYhiWInfCHGUKyDXkyZl9BW4UZ+Dt6ZK2GXrC56/yw9nDozPi U0I7GzVk5idhzvUBis1Ng+JX6ePvLeXCHlBV52FmtLGtzLZ0X9a3AZRyMdUpRnfd+hY1 ildQ==
X-Received: by 10.180.37.178 with SMTP id z18mr3093182wij.46.1395413995694; Fri, 21 Mar 2014 07:59:55 -0700 (PDT)
Received: from [192.168.1.99] (188.110.176.95.rev.sfr.net. [95.176.110.188]) by mx.google.com with ESMTPSA id g5sm13878509wjs.8.2014.03.21.07.59.53 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Mar 2014 07:59:54 -0700 (PDT)
Message-ID: <532C53E1.1060302@gmail.com>
Date: Fri, 21 Mar 2014 15:59:45 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>, Michael Sweet <msweet@apple.com>, Rene Struik <rstruik.ext@gmail.com>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com> <532B0EAA.5040104@fifthhorseman.net> <8D8698DF-5C06-4F2A-8994-E0A36A987D6D@vpnc.org> <532B1739.80907@fifthhorseman.net> <CADrU+d+GkGU1Da3W6xGuOq4qvd40DdT6+sO6WEZeEag7Q1OiVQ@mail.gmail.com> <532B9B65.4030708@gmail.com> <8FD78E18-C3C7-4085-9E3F-8B60B20F2CB5@apple.com> <045401cf4514$1c0e5ec0$4001a8c0@gateway.2wire.net>
In-Reply-To: <045401cf4514$1c0e5ec0$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zkpADTShAmHYVzFxWxaZCvyi1E0
Cc: tls@ietf.org
Subject: Re: [TLS] bootstrapping of constrained devices
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 15:00:08 -0000

On 2014-03-21 15:44, t.petch wrote:
> ----- Original Message -----
> From: "Michael Sweet" <msweet@apple.com>
> To: "Rene Struik" <rstruik.ext@gmail.com>
> Cc: <tls@ietf.org>
> Sent: Friday, March 21, 2014 12:26 PM
> 
> Rene,
> 
> Installing device certificates during manufacturing is not a simple
> process - the factory would need to act as a CA or would need to have a
> supply of certificates that matches whatever identifiers are used by the
> devices.  Not to mention how you'd manage revocation if the root was
> compromised...
> 
> <tp>
> 
> Michael
> 
> In the context of syslog security, some years ago now, the question of
> device certificates arose and it was said there that they were quite
> common.  They would be self-signed, which gives much of the needed
> security, while avoiding issues of CA and root compromise.

In that case the identity would effectively be reduced to a fingerprint
(like an SSH key) which could be printed on the outside of the device
to facilitate password-free enrollment.

This scheme is though not universally applicable because there's a
lot of devices where you actually want to know the brand as well
including for example the FIDO/Google U2F token so for most devices
I suspect you will end-up with a CA anyway.

Anders

> 
> Tom Petch
> 
> On Mar 20, 2014, at 9:52 PM, Rene Struik <rstruik.ext@gmail.com> wrote:
> 
>> Hi Robert:
>>
>> Wouldn't it be much easier to embed device certificates with
> constrained devices at manufacturing? This may do away with need
> to store info that is not public on servers.
>>
>> If you could provide some links to discussions in "IoT community
> groups" interested in this, that would help.
>>
>> Best regards, Rene
>>
>> ==
>> There is a lot of interest in the IoT community in using some form of
> PAKE in conjunction with DTLS (or TLS with EAP) for authenticating
> commissioning/bootstrapping of IoT devices onto IoT networks
>>
>> On 3/20/2014 1:21 PM, Robert Cragie wrote:
>>> It should be remembered that TLS is used in places other than web
> browsers - the existence of the DICE WG is testament to this. There is a
> lot of interest in the IoT community in using some form of PAKE in
> conjunction with DTLS (or TLS with EAP) for authenticating
> commissioning/bootstrapping of IoT devices onto IoT networks. I realise
> this is different to the original proposition in this thread but wanted
> to draw this to the attention of the WG nevertheless.
>>>
>>> Robert
>>>
>>> On 20 Mar 2014 12:28, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net>
> wrote:
>>> On 03/20/2014 12:18 PM, Paul Hoffman wrote:
>>>> As an important note, you did not define "we" above. A few possible
> expansions would be:
>>>>
>>>> - The TLS WG, where this thread currently lives, does not get to
> define Web UI without a charter change.
>>>>
>>>> - The HTTPbis WG has not asked the TLS WG to take over this work,
> nor has it embraced anything like it.
>>>>
>>>> - The IETF doesn't do this kind of work as a whole body.
>>>>
>>>> - The IAB (of which none of us are part of the "we") might take the
> topic on and suggest ways which the IETF might do the work.
>>>
>>> yep, thanks for the clarification.  I actually meant "we" in the
> broad
>>> sense of "the community of people who care about making
> communications
>>> on the web more secure", which includes groups you didn't even
> mention
>>> above, like web site designers, systems administrators, etc.
>>>
>>> It's still on-topic here (despite the broad scope implied above)
> because
>>> the TLS WG does have a role to play, by considering the merits of
>>> proposals like http://tools.ietf.org/html/draft-thomson-tls-care, as
>>> well as considering alternatives that deal with this particular use
> case.
>>>
>>>>> option (A) is seriously hard, maybe impossible given the state of
> the
>>>>> web.  option (B) is terrible.
>>>>
>>>> Exactly right, for any value of "we".
>>>
>>> :(
>>>
>>>         --dkg
>>>
>>>> --
>> email: rstruik.ext@gmail.com | Skype: rstruik
>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email