On 20/02/2018 08:15, Michael Richardson wrote:
> 
> Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
>     >> problem 1.
>     Anoop> The major problem with the procedure is that the registrar doesn’t
>     Anoop> verify the manufacturer.
>     >> 
>     >> To translate, the JRC has no obvious way to verify that the "MI" key 
> belongs
>     >> to the manufacturer that they care about.
>     >> 
>     >> You actually hit the major reason this is not a problem when you 
> assume:
>     >> > assuming the registrar can’t know all the manufacturers exhaustively
>     >> 
>     >> We assume that in a managed network that the JRC *can* know all the
>     >> legitimate manufacturers.  The keys can come from sales channel 
> integration
>     >> (via digital "packing slips" perhaps), can be manually loaded by 
> humans, be
>     >> scanned from QR codes on the box, etc.  We believe that this is out of 
> scope.
> 
>     > Yes, but please ensure that the draft states this assumption and states
>     > that how it is achieved is out of scope.
> 
>     > Also note the air-gap case described in section 6.3 bullet 3. That's 
> listed
>     > as a security reduction, but if your threat model considers rogue MASAs
>     > to be a real risk, pre-loading vouchers and then totally disconnecting 
> from
>     > the Internet might even be considered a security improvement.
> 
> 
> I agree that there should be another Security Considerations section.
> Should we also say something in the Introduction?

I think Security Considerations is fine for this point.

   Brian

> 
> https://github.com/anima-wg/anima-bootstrap/issues/43
> 
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
> 

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Reply via email to