On 2018-10-03 11:53, Michael Richardson wrote: > > Brian E Carpenter <brian.e.carpen...@gmail.com> wrote: > > If I had my wishes, the MASA would be optional, with a local voucher > > store in the registrar as the alternative. But that wasn't the WG > > consensus. > > So you speak of non-expiring nonceless vouchers with wildcard for the domain > owner, that would come with the device? I.e. a bearer voucher/token on a QR > code. > > We decided that such a thing was fraught with issues. > > So we painted around it, and declared that version out of scope for now, > because we didn't think we were smart enough to figure out the security > implications of it. (We did this in RFC8366, btw) > > In particular, we did not think it had a place in the medium to high-value > devices that we expect ANIMA ACP BRSKI to deal with. > [i.e. routers, VM hosts, NAS boxes... not light bulbs]
There are issues with not doing it too. I think the thing right now is that the draft doesn't explain itself properly, hence this discussion. I'm still gnawing on my original bone: if I was running a highly secure, personnel-safety-critical network, like the particle accelerator control network I used to run for a living, I *would not* allow it to rely on masa.vendor.com, and it would be physically impossible to do so because there would be no physical link anyway. I would get my vouchers some other way. This is not light bulbs either. I believe this can be fixed by clearer scoping of the document, and by renaming the "lower security" section as "alternative trust models" or something. Brian > I think that there are better ways to deal with a bearer voucher, > and that a layer of intermediation would help with the issues possible > with a bearer token. This may suit "ship and mostly forget" situation, > but I also think it's squarely an IoT application, rather than appropriate > for BFRs. > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima > _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
