On 2018-12-03 06:41, Michael Richardson wrote:
>
> Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
> > OK, thanks. I'm interested in another scenario too: one where the
> > operator will not accept using a connection to the open Internet and
> > therefore will not accept any real-time access to any MASA. As I've
> > said for several years, this is a highly likely scenario in some types
> > of network which insist on air-gap security or for some other reason do
> > not trust a MASA (see Randy Bush's comments a few weeks ago,
> > e.g.
> https://mailarchive.ietf.org/arch/msg/anima/rK_rlT3JH0AFGlS47XSRqQB2DJI
> > ).
>
> > For such networks the only solution I can see is that all MASAs are
> > replaced by a single OASA (Operator Authorized Signing Authority) that
> > is configured and controlled by the operator. It handles the
>
> > Registrar-MASA protocol and returns vouchers exactly like a MASA,
> > except that it emphatically isn't on the global Internet. The OASA
> > would procure a long-life voucher (normally from the relevant MASA, via
> > a nonceless registrar voucher-request) when a device is purchased and
> > added to inventory, and then deliver that voucher or a short-term
> > voucher when a registrar needs it. Instead of using the MASA URL for
> > each manufacturer, registrar-to-OASA connections all use a locally
> > defined URL for the OASA. Otherwise the protocol is standard BRSKI.
>
> So you are looking for a kind of transitivity in vouchers.
> The long-lived voucher points to an intermediary, and that intermediary can
> further delegate. I originally described such a situation back in 2014.
>
> This is from my bookmarks, I hope it's the right bookmark, as I'm writing
> this offline (above Torchwood):
>
> https://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00
>
> Such a system also supports resale, with the caveat that the secondary
> vendors can potentially reassert their ownership!
Yes. If I'm not mistaken this would still work if the manufacturer
no longer exists and its private key has been destroyed. As I think
Randy Bush said, it's not OK if a device becomes unusable when that
happens. Basically we need transfer of ownership to mean transfer
of the ability to create a voucher.
> A different system, which I'm writing up now in response to the reviews, is
> that the the original vendor supports replacing the IDevID. This permits the
> first owner to change their root trust anchor to them. They then become the
> MASA for the next owner. This requires no new protocol mechanisms.
>
> This permits a number of scenarios including:
> 1) resale without OEM permission
> 2) "off-line" MASA/OASA as you describe above.
> 3) ship-to-aggregator-and-forget
> 4) death of OEM.
>
> However, it requires the device to go through an enrollment cycle prior to
> death of OEM, and it requires the OEM to permit the IDevID anchor to be
> replaced (and the replacement to persist through factory resets).
> It is not clear to me that many vendors will be willing to do this, however,
But then maybe people will refuse to buy their products.
> it is really the ultimate "root"ing of the device, and the OEM very
> clearly no longer has any warantee or liability if this is done.
>
> There are some half-transfer mechanisms were one could consider if the LDevID
> is permitted to be used, leaving the IDevID also available. This seems
> mechanically easy, but seems to open many issues.
I think all this needs to be explored in detail. Whether that is ANIMA
business is another question.
Thanks
Brian
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
