On 30.05.21 00:20, Michael Richardson wrote:
Eliot Lear <[email protected]> wrote: > So this raises an interesting question, which is probably more > appropriate for RATS. What information should be shared with whom and > how? The voucher is shipped in the clear without much prompting.How so in the clear? It's DNS-ID or pinned TLS from Registrar to MASA (which is across the Internet). Getting a voucher requires a voucher-request, signed by the device. That could be obtained by a malicious registrar, true, but that requires on-link-ish access to the device.
Sorry- let me restate: it's not that the voucher or request is not encrypted, but rather that the voucher-request is received by a party that may not be authorized to onboard that client. The client doesn't know that until it sees the response from the MASA. Therefore, whatever information it reveals should be minimized at this point in the transaction. Once the device has installed a trust anchor, then it has at least some reason to trust the other party with what its designers may view as more sensitive information.
> There are different views about how sensitive software inventory is.
> This is why the draft doesn't take a position on the subject, other
> than to allow for the notion that some requests *may* need to be
> authenticated.
I agree that this is the right approach for the document to take.
I'm expressing the view that it's fundamentally security through obscurity.
Fair enough, but I posit a world in which the attacker has at its disposal a bag of tricks that is indexed by RATS evidence, and a limited window of time to apply those tricks. In that sense, a little bit of security through obscurity might prevent some break-ins. Not that it's an excuse to not fix those vulnerabilities, of course, but simply a bit of defense in depth.
Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
