Christian Huitema <[email protected]> wrote: >> I think people need to go and read draft-ietf-netconf-zerotouch >> and draft-ietf-anima-bootstrapping-keyinfra.
> Another useful draft is draft-winfaa-intarea-broadcast-consider. It was
> precisely motivated by the use of unique identifiers in device specific
> broadcast protocols. UUID kind of fall in that category.
>> Then explain how we
>> could ever bootstrap a trustworthy network without some sort of
>> unique bitstring per device (in practice, an 802.1AR-2009 X.509
>> initial device identifier installed by the manfacturer).
>>
>> That doesn't mean it needs to be visible in clear after bootstrap.
> It also does not mean that the identifiers should be sent in clear
> text...
I'd love to find a way to send the identifier only to an authorized operator,
which is resistant to an active MITM, given that the new device (the pledge)
doesn't know who the authorized operator is yet.
Encrypting it via a not-yet-fully authenticated TLS1.3 connection is easy.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
