On 2018-12-03 06:41, Michael Richardson wrote: > > Brian E Carpenter <brian.e.carpen...@gmail.com> wrote: > > OK, thanks. I'm interested in another scenario too: one where the > > operator will not accept using a connection to the open Internet and > > therefore will not accept any real-time access to any MASA. As I've > > said for several years, this is a highly likely scenario in some types > > of network which insist on air-gap security or for some other reason do > > not trust a MASA (see Randy Bush's comments a few weeks ago, > > e.g. > https://mailarchive.ietf.org/arch/msg/anima/rK_rlT3JH0AFGlS47XSRqQB2DJI > > ). > > > For such networks the only solution I can see is that all MASAs are > > replaced by a single OASA (Operator Authorized Signing Authority) that > > is configured and controlled by the operator. It handles the > > > Registrar-MASA protocol and returns vouchers exactly like a MASA, > > except that it emphatically isn't on the global Internet. The OASA > > would procure a long-life voucher (normally from the relevant MASA, via > > a nonceless registrar voucher-request) when a device is purchased and > > added to inventory, and then deliver that voucher or a short-term > > voucher when a registrar needs it. Instead of using the MASA URL for > > each manufacturer, registrar-to-OASA connections all use a locally > > defined URL for the OASA. Otherwise the protocol is standard BRSKI. > > So you are looking for a kind of transitivity in vouchers. > The long-lived voucher points to an intermediary, and that intermediary can > further delegate. I originally described such a situation back in 2014. > > This is from my bookmarks, I hope it's the right bookmark, as I'm writing > this offline (above Torchwood): > > https://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00 > > Such a system also supports resale, with the caveat that the secondary > vendors can potentially reassert their ownership!
Yes. If I'm not mistaken this would still work if the manufacturer no longer exists and its private key has been destroyed. As I think Randy Bush said, it's not OK if a device becomes unusable when that happens. Basically we need transfer of ownership to mean transfer of the ability to create a voucher. > A different system, which I'm writing up now in response to the reviews, is > that the the original vendor supports replacing the IDevID. This permits the > first owner to change their root trust anchor to them. They then become the > MASA for the next owner. This requires no new protocol mechanisms. > > This permits a number of scenarios including: > 1) resale without OEM permission > 2) "off-line" MASA/OASA as you describe above. > 3) ship-to-aggregator-and-forget > 4) death of OEM. > > However, it requires the device to go through an enrollment cycle prior to > death of OEM, and it requires the OEM to permit the IDevID anchor to be > replaced (and the replacement to persist through factory resets). > It is not clear to me that many vendors will be willing to do this, however, But then maybe people will refuse to buy their products. > it is really the ultimate "root"ing of the device, and the OEM very > clearly no longer has any warantee or liability if this is done. > > There are some half-transfer mechanisms were one could consider if the LDevID > is permitted to be used, leaving the IDevID also available. This seems > mechanically easy, but seems to open many issues. I think all this needs to be explored in detail. Whether that is ANIMA business is another question. Thanks Brian _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima