Hello Michael, Thank you for your explanation.
I think I can rewrite some sentences in the security considerations. Please tell me the following text is correct or not. It is highly recommended to conduct a mutual authentication between the network and the device tending to join in it. The authentication can be accomplished with the help of certificates or pre-shared keys [I-D.ietf-6tisch-minimal-security] provisioned by the operator at the deployment site. Alternatively, the certificates could be provisioned by the manufacturer or the vendor before the shipment, and in this case the authentication can be accomplished with the help of a MASA service on the Internet [dtsecurity-zerotouch-join]. Best regards. Remy -----邮件原件----- 发件人: Michael Richardson [mailto:[email protected]] 发送时间: 2020年5月21日 23:00 收件人: Liubing (Remy) <[email protected]>; [email protected]; Carles Gomez Montenegro <[email protected]> 主题: Re: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt Liubing (Remy) <[email protected]> wrote: > Is the following understanding correct? The difference between the > "one-touch" and the "zero-touch" methods is that whether the key or > certificate is provisioned by the manufacturer or by the operator at > the deployment site. As long as the key/IDevID/certificate is > provisioned before the device goes out of the factory, i.e., the > operator doesn't have to provision/touch it on site to get it securely > join the network, it can be considered as "zero-touch". Yes, that's correct. The touches by the manufacturer and/or a VAR don't count. Or to put it another way, it's the number of touches the by operator that count. A further characteristic MAY be that it doesn't matter which unit is shipped to which customer from the warehouse. (There seem to be use cases in transportation and manufacturing where it matters due to contractual warantee issues. I think because refurbished devices may mingle with brand-new devices in the warehouse. This is less interesting for enterprise routers and more relevant for train braking systems) > Even though the pledge ID is given privately by the manufacturer, and > not as per 802.1 AR, the dtsecurity-zerotouch-join method can be > implemented by using the MASA provided by the manufacturer? Is the > dtsecurity-zerotouch-join method aimed at a scenario in which a > certificate can't be provisioned a priori? dtsecurity-zerotouch-join assumes a certificate provisioned prior to deployment. So I can't agree with the last sentence. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ 6lo mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lo
