Re: Security Working Group - Wednesday July 22 - results

[Michael Richardson <mcr@sandelman.ca>]

[-- Attachment #1: Type: text/plain, Size: 2589 bytes --]


Ed Tanous <ed@tanous.net> wrote:
    > One thing to note;  At one point, I had talked through how to
    > prototype ACME protocol replacement of certificates automatically, so,
    > given an ACME server on the network, the BMC could essentially
    > automatically provision itself and keep its certs up to date.  If
    > someone wanted to run with that, it might reduce some of the pain here
    > (and be extremely cool).

I have running code, but to use ACME, requires some initial trust
relationship.  The manufacturer can do that if they want.

One can also use draft-ietf-anima-bootstrapping-keyinfra + EST (RFC7030).
These two are not mutually exclusive.

I hope to clear my plate enough before the end of the year to demonstrate
this on OpenBMC.

    > The above is all asking the wrong question: "Can we determine if the
    > certificate is valid?"  This is irrelevant, the question is: "Should
    > we ever be replacing a user provided certificate with one generated on
    > the BMC."  The answer previously has been no.  In almost all cases the
    > user provided certificate, even an expired one, will still be better
    > than one the BMC self signs.  Between having an invalid certificate
    > chain, and an invalid date, I'll take the invalid date every time.

I agree.

    > It should be noted, most browsers (in my testing) seem to ignore the
    > HTTP date header entirely, so the BMC doesn't even need the correct
    > time to set up a proper encryption channel.

That's very surprising and counter to my experience.
The more likely case is that the OpenBMC has the wrong date.

    >> Should “out of date” not be part of the
    >> “unusable” definition? ⇒ Ideas: 1. If bmcweb finds a usable cert but is
    >> out of date, that cert can still be used.  2. Leave the defective
    >> certificate (do not delete it) and log an error.

    > A lot of BMCs don't have a dedicated RTC, and rely on other systems
    > (like the PCH or NTP) to get the correct time.  bmcweb needs to come
    > up long before the PCH or NTP (both of which are also optional) so as
    > a general rule, using these for valid time is a non-starter.  I could
    > see logging an error _if_ you know time is valid, but I'm not sure how
    > a bmc could know that.

Agreed.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]