security review issue 5: tampering during drop ship process

[mcr]

5. Device tampering during the drop ship process, maybe by some kind of
   Tailored Access Operation group. I think that BRSKI does nothing against
   that attack, but maybe we should just say so.

6

[pritikin]

Well, section 6.2 "pledge security reductions" recommends a hardware supported NEA method if non-brski methods are allows. This is effectively the case that leads to "tampering during drop ship".

It is RECOMMENDED that "trust on first use" or skipping voucher
validation only be available if hardware assisted Network Endpoint
Assessment [RFC5209] is supported. This recommendation ensures that
domain network monitoring can detect innappropriate use of offline or
emergency deployment procedures.

[mcr]

Scope addition.
6.2 does not forbid the device from being bootstrapped by other means,

[mcr]

Add a few words:
It is RECOMMENDED that "trust on first use" or any method of skipping voucher
validation (including use of craft serial console) only be available if hardware assisted
Network Endpoint Assessment [RFC5209] is supported. This recommendation ensures that
domain network monitoring can detect in-appropriate use of offline or
emergency deployment procedures when voucher-based bootstrapping is used.

• Reference section 6.2 and 6.3 from Security Considerations, "Tampering during drop-ship"

• section 1.1: These Touch Methods....
  The existence of zero-touch methods does not preclude co-existence of touch methods, see section 6.2.

[pritikin]

modified as per 93041f4

Didn't put in section 1.1. sentence. maybe should have.

Did add a paragraph at the start of security considerations to backpoint to the reduced modes and attempt to each into what is effectively a bulleted list (the next paragraphs) and then the subsections.