> On 13 Jul 2019, at 17:10, Michael Richardson <[email protected]> wrote: > > Signed PGP part > > Eliot Lear <[email protected]> wrote: >> I think the simplest way to address the bulk of both Adam’s and >> Warren’s concern is to require the device to emit via whatever >> management interface exists, upon request, a voucher that it has signed >> with its own iDevID. It would have to be nonceless with perhaps a long >> expiry, and that would cover a number of other use cases as well. That >> way if the manufacturer goes out of business, or if the owner wants to >> transfer the device without manufacturer consent, there is a way >> forward. > > 1) would it have a pinned-domain-cert for the new owner, or would it be > some kind of wildcard/bearer voucher?
Again, I think this is a matter for the seller, and also a matter for the seller as to when the voucher is generated, so that it doesn’t need to lie around. I was also thinking that this would be the sort of thing that could be printed out, either in a QR or OCR form, if necessary. > > 2) what would the management interface be, specifically, how would it be > secured? The reason I mentioned CIP and Profinet in a previous message is that once the device is bootstrapped, if it has a management interface, that is what should be used. Adding new services on a device is undesirable. This covers the case when the manufacturer becomes unavailable. However, it should be viewed as a backstop. See below. > > This would seem to cover the case where there is an orderly sale of equipment > From an owner who is still in business to a new owner who is ready to receive > the device. In my experience buying used routing equipment, this is never > the case. Unless the owner printed out such a label in advance. The point is that the mechanism could reasonably be used. Many credentials are written on your wireless devices right now. This give you the option for that not to be the case (people needn’t worry about Siemens, Rockwell, JCI, Honeywell, or Schneider Electric going out of business anytime soon, for instance - they may feel differently about Joe’s Tool and Die). Another way to look at this would be to for the manufacturer to ping the owner periodically to reconfirm ownership. If the owner fails to respond, allow another owner to transfer the device. Or… simply ping the owner when a transfer request is made. But these require that the MASA be present. To Adam’s broader point, there are at least several ways to approach this. We can leave it to the vendor to decide which is correct, and we can continue to look to standardize ideas such as the one Michael had in the message I’m replying to now. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
