Re: [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Randy Bush <randy@xxxxxxx> wrote:
    > a stunning review as usual.  but i have two questions which you kind of
    > finessed.  they are simple binary, i.e. yes/no, questions that the end
    > user, to whom the IETF is ultimately responsible, really cares about.

    > if the manufacturer's servers go down, either permanently or even for
    > a day, does the device i have purchased still work?  i.e. is it fail
    > soft? [0]

First, BRSKI as used by ANIMA is specifically not targetted at Things.
(We are developing profiles of BRSKI that are about Things, but I think that
this internet-draft should not be be evaluated on that basis).

It's targetted at routers and other devices found at ISPs or Enterprises.

Whether or not the device continues to work after you take onwership is not
about this protocol.

Second, the only time the manufacturer's servers need to be alive is when
device ownership is claimed.   Once the device is claimed, it joins *YOUR*
network, and trusts your infrastructure, not the manufacturer.  Whether or
not the device will *operate* without the manufacturer's servers is really
outside of BRSKI.  However, if anything, we feel that as BRSKI creates a
strong connection between the device (the "pledge"), and the owner, that it
is much easier for the device to operate under the control of the owner
rather than exclusively the manufacturer's servers.


Joel M. Halpern <jmh@xxxxxxxxxxxxxxx> wrote:
    > That answer seems to imply that if the MASA is down before I try to transfer
    > my device, and if the MASA is still down when the recipient tries to get my
    > device working, it won't work.

    > Which seems to mean that once a MASA goes down permanently, any new can not
    > get a device reliant on that MASA to work.

    > Seems a pretty severe limitation.

You are answering a different question than Randy asked, I think.
You are answer the question about whether the device can be resold.

This is a pretty important question and we have discussed it at length.
I remain concerned, but as far as I can see, we have this problem already.

It fundamentally depends upon a number of things which unfortunately, the
manufacturer has ultimate decision making about.  I hope that the market
will express itself, and the answers will result in environmentally
sustainable solutions rather than landfills.

Those things are:
   1) trivially, is the manufacturer alive, and willing to issue a new
      voucher to a new owner.  This is the easiest situation.

   2) if the manufacturer's software allows the domain owner to replace the
      MASA trust anchor with another one, then a different MASA could authorize
      the resale.

   3) if the manufacturer allows the entire software stack to be replaced,
      then in effect, a new manufacturer can be selected. (Think OpenWRT
      here)

In essence, all of these questions are about the degree to which the
manufacturer lets the owner control the software.  This is a tussle between
manufacturers that want to control it all, and owners who feel they should
control what the system does.

We think that BRSKI does not force either situation, but does deal with
some situations where a third party has inserted software between the point of
manufacturer and the owner.


--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works
 -= IPv6 IoT consulting =-



Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux