Brian E Carpenter <[email protected]> wrote: > OK, thanks. I'm interested in another scenario too: one where the > operator will not accept using a connection to the open Internet and > therefore will not accept any real-time access to any MASA. As I've > said for several years, this is a highly likely scenario in some types > of network which insist on air-gap security or for some other reason do > not trust a MASA (see Randy Bush's comments a few weeks ago, > e.g. https://mailarchive.ietf.org/arch/msg/anima/rK_rlT3JH0AFGlS47XSRqQB2DJI > ).
> For such networks the only solution I can see is that all MASAs are
> replaced by a single OASA (Operator Authorized Signing Authority) that
> is configured and controlled by the operator. It handles the
> Registrar-MASA protocol and returns vouchers exactly like a MASA,
> except that it emphatically isn't on the global Internet. The OASA
> would procure a long-life voucher (normally from the relevant MASA, via
> a nonceless registrar voucher-request) when a device is purchased and
> added to inventory, and then deliver that voucher or a short-term
> voucher when a registrar needs it. Instead of using the MASA URL for
> each manufacturer, registrar-to-OASA connections all use a locally
> defined URL for the OASA. Otherwise the protocol is standard BRSKI.
So you are looking for a kind of transitivity in vouchers.
The long-lived voucher points to an intermediary, and that intermediary can
further delegate. I originally described such a situation back in 2014.
This is from my bookmarks, I hope it's the right bookmark, as I'm writing
this offline (above Torchwood):
https://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00
Such a system also supports resale, with the caveat that the secondary
vendors can potentially reassert their ownership!
A different system, which I'm writing up now in response to the reviews, is
that the the original vendor supports replacing the IDevID. This permits the
first owner to change their root trust anchor to them. They then become the
MASA for the next owner. This requires no new protocol mechanisms.
This permits a number of scenarios including:
1) resale without OEM permission
2) "off-line" MASA/OASA as you describe above.
3) ship-to-aggregator-and-forget
4) death of OEM.
However, it requires the device to go through an enrollment cycle prior to
death of OEM, and it requires the OEM to permit the IDevID anchor to be
replaced (and the replacement to persist through factory resets).
It is not clear to me that many vendors will be willing to do this, however,
it is really the ultimate "root"ing of the device, and the OEM very
clearly no longer has any warantee or liability if this is done.
There are some half-transfer mechanisms were one could consider if the LDevID
is permitted to be used, leaving the IDevID also available. This seems
mechanically easy, but seems to open many issues.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
