| Internet-Draft | MASA Considerations | May 2023 | 
| Richardson & Pan | Expires 10 November 2023 | [Page] | 
This document describes a number of operational modes that a BRSKI Manufacturer Authorized Signing Authority (MASA) may take on.¶
Each mode is defined, and then each mode is given a relevance within an over applicability of what kind of organization the MASA is deployed into. This document does not change any protocol mechanisms.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 November 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
[RFC8995] introduces a mechanism for new devices (called pledges) to be onboarded into a network without intervention from an expert operator.¶
This mechanism leverages the pre-existing relationship between a device and the manufacturer that built the device. There are two aspects to this relationship: the provision of an identity for the device by the manufacturer (the IDevID), and a mechanism which convinces the device to trust the new owner (the [RFC8366] voucher).¶
The manufacturer, or their designate, is involved in both aspects of this process. This requires the manufacturer (or designate) to maintain on online presence.¶
This document offers a number of operational considerations recommendations for operating this online presence.¶
The first aspect is the device identity in the form of an [ieee802-1AR] certificate that is installed at manufacturing time in the device. Some of the background for the operational considerations of building this public key infrastructure is described in [I-D.irtf-t2trg-taxonomy-manufacturer-anchors].¶
The second aspect is the use of the Manufacturer Authorized Signing Authority (MASA), as described in [RFC8995] section 2.5.4. The device needs to have the MASA anchor built in; the exact nature of the anchor is open to a number of possibilities which are explained in this document. This document primarily deals with a number of options for architecting the security of the MASA relationship.¶
There are some additional considerations for a MASA that deals with constrained vouchers as described in [I-D.ietf-anima-constrained-voucher]. In particular in the COSE signed version, there may be no PKI structure included in the voucher mechanism, so cryptographic hygiene needs a different set of tradeoffs.¶
A number of jurisdictions have legal requirements for businesses to have contingency plans in order to continue operating after an incident or disaster. Specifications include [iso22301_2019], but the problem of continuity goes back over 40 years.¶
The [holman2012] document defined an eight tier process to understand how data would be backed up. Tier 0 is "no off-site data", and would be inappropriate for the MASA's signing key. The question as to how much delay (downtime) is tolerable during a disaster for activating new devices. The consideration should depend upon the type of the device, and what kind of disasters are being planned for. Given current technologies for replicating databases online, a tier-4 ("Point-in-time copies") or better solution may be quite economically deployed.¶
A key aspect of the MASA is that it was designed as a component that can be outsourced to a third party, and this third party can leverage economies of scale to provide more resilient systems at much lower costs.¶
The PKI components that are used to provision the IDevID certificiates into new devices need to be operational only when the factory that produces the devices is active. The business continuity planning needs to include provision for backing up the private keys used within the PKI. It may be enough to backup just the root CA key: the rest of the levels of the PKI can be regenerated in another location if necessary.¶
This document makes no IANA requests.¶
Hello.¶