Hi Joel, > On 15 Jul 2019, at 23:42, Joel M. Halpern <[email protected]> wrote: > > I would probably go a step further than Adam. Protecting the device so a > thief can not use it in the thiefs' own network seems to me to be something > that we should not be trying to achieve. An active non-goal. It is not our > problem.
> And trying to achieve it has the implications that lead to this whole > discussion about the original manufacturer controlling who can resell / > re-buy the device. I would rather we redressed this directly. There is an entire work flow that involves zero-touch provisioning that at least two, and likely four large platforms are driving toward, that all require some sort of manufacturer assertion for device ownership to be transferred. This is not just a good idea or an anti-theft mechanism, but an aspect that is required for zero-touch, particularly with wireless, where network selection has to occur. While in that sense, you might say, “Anti-theft wasn’t the goal”, it is certainly a nice add-on, and it seems like a valuable function. Personally I like that we had this discussion. I think the BRSKI work will be much improved because of it, and people have a better understanding of how the mechanisms can be used/abused as a result. I only wish we had had it earlier. So now let’s talk about anti-theft and counterfeiting. BRSKI has an interesting link to both. If a manufacturer is able to show the customer what devices have been registered, any device that seems to be operational but is NOT registered has to be considered suspect by the customer. That’s a nice counterfeit protection, and it isn’t there by accident. Similarly having a way to say, “the thing won’t join an unauthorized network” is a very strong theft deterrent, very much akin to the electronic keys that we see now in cars. You generally can no longer go to the local locksmith to get a duplicate key for a great many cars, but your theft insurance has dropped through the floor (particularly if you own a Honda). Might GM, Ford, BMW etc might fail? Sure. No more new keys for those cars: the old ones had better suffice. In this case we discussed several approaches to deal with the case where the supplier drops dead. IMHO that’s a good outcome. Eliot > While manufacturers may like that, it does not seem to be something we > should get involved in. At all. > > Yours, > Joel > > On 7/15/2019 5:10 PM, Adam Roach wrote: >> On 7/15/19 3:38 PM, Brian E Carpenter wrote: >>> On 15-Jul-19 16:45, Joel M. Halpern wrote: >>>> I presume I am missing something basic. >>>> I have tried to follow this discussion, as it seems to be about a >>>> critical aspect of whether the BRSKI work is acceptable. >>>> >>>> I have assumed that what we needed is the ability for a buyer, who has >>>> physical possession of the device, and possibly some simple (non >>>> cryptographic) credentials provided by the seller to force the device to >>>> reset what it thinks it is part of, and to emit in some accessible form >>>> the information the buyer needs to be able to make this device part of >>>> his network, using his authentication servers, etc. >>> Yes, but *not* a solution that works if the device is stolen. >> I'm actually a little ambivalent with respect to this use case. For the kind >> of devices that the document purports to be targeting, I would imagine that >> theft is in the range of parts-per-thousand (or lower) as compared to things >> like post-bankruptcy liquidation. If you can fix the first without ruining >> the second, great. >> /a
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
