Re: [Acme] Fwd: New Version Notification for draft-sweet-iot-acme-04.txt

Wed, 02 Aug 2023 10:17:47 -0700 

7) Validity of certificates:  
<https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-iot-device-certificates>
 
https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-iot-device-certificates

 

>> I disagree with short validity.

If the certificate is restricted to local domain names only, I suggest allowing 
validity up to 10 years.

 

HOWEVER, if local certificates should be accepted by browsers as root, THEN 
there must be a mechanism, similar to DNS Rebinding protection, that prohibits 
an external site (that are not an RFC1918-IP or local resources) or a resource 
received externally (for example an email) from hyperlinking or redirecting to 
a .local resource, an private, loopback or local IP, or a mDNS resource.

 

In the same thing, I see that reuse of key material, mentioned in 4.11 is no 
problem, as long as key material is NEVER reused along multiple devices 
(eDellSupport and such).

If key material is reused among the same user only (same local network), I see 
no risks.

 

4.9 and 3.3 solves any issues that may exist with attacks, since each root 
certificate will only recongnize whatever exist on the very same local network.

 

Since the device SHOULD regenerate certificate (4.5) when a “factory reset” is 
done, a device which changes owner (through selling on marketplace as used 
product) will not pose a security risk.

 

There could be good to impose a rule, that a IoT device, should, on each power 
up:

Set a flag “NeverConnected = true”

Do power up connection.

If a connection to a network for which it owns a certificate is found, then:

“NeverConnected” should be set to false.

 

IF a pairing of a new user is done to the device, AND the pairing is not done 
through a existing user (Pairing done with a button or similar) – AND 
“NeverConnected” is set to true, then it should do an automatic factory reset, 
or require a factory reset.

 

However, if a new user is paired into the device through an old user, there is 
clear evidence the device is still possessed by the old user, and it does not 
make sense to reset the device otherwise.

 

This ultimately protects a device which changes hands into a new user from any 
malicious attacks, even by the previous user, even if the new user does NOT 
factory reset the device.

 

 

                        Best regards, Sebastian Nielsen


_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to