>For most electronics equipment (pre-IoT) once you sold it your job as a >manufacturer was basically done. You don't have to issue security >patches for the keyboard or firmware upgrades to the monitor because >the meaning of the wires in the VGA standard has changed out from under >it. > >With anything connected to the Internet it seems the only thing that we >can do is constantly be patching and fighting against the latest >exploits of our protocols and implementations. Unless we are going to >throw away all practical engineering and only use systems that are >provably correct in a mathematics sense(*), that's probably how it is >going to stay. > >There are several possible models that would be better: subscription, >open systems (so a 3rd party can sell improvements & upgrades), and >so on. Unfortunately nobody seems to care about these issues, since the >vendors are making money by the fistful (a few pennies at a time) and >policy makers take that is a sign that everything is fine.
Looking at this from a European perspective (regulations vary in different parts of the world), you can expect the manufacturer to build a device that will work correctly for some period of time. I think the European (default) minimum is 2 years. So if the device develops a fault during that period, it has to be repaired or replaced by the seller. Needless to say, security issues are manufacturing defects that are not exempt from this. If internet connected devices continue to do damage in the next years, it is not unreasonable to expect that the manufacturers will at some point be forced to pay for the damages caused by the abuse of those devices. So part of selling a device that is intended to be connected to the internet is to make sure that security issues can be patched. At the same time, if a device stops working because of a DNS root KSK roll over then it's reasonable to demand that the seller makes it work again. Of course, a manufacturer can choose whatever clumsy user interface is cheapest. My preference for general purpose, autonomous devices, is that they check if firmware updates are available. That way the manufacturer can promptly fix security updates, but it also allows for changes in key material, etc. I think this is easy to do. There are some things you can't protect against (signature keys leaking) but there are plenty of other accidents that happen already. I guess anybody can write a BCP for that device class, it doesn't even have to be the IETF. A more complex class is a device that should be able to bootstrap even if only a limited part of the internet is reachable. For example after some kind of disaster. That may require carefully documenting what protocols are used and in what way, to reach a stable secure state. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
