security review issue 11: what if MASA refuses to provide a voucher

[mcr]

11. Attacks by the MASA. What happens if the MASA refuses to provide a voucher,
    or provides a wrong voucher? Can the MASA be used to restrain commerce
    with specific countries? Is that a feature or a bug?

[pritikin]

If the MASA refuses to issue a voucher then use of the BRSKI protocol flow to bootstrap the device does not work. There are a number of methods a vendor can use to "restrain commerce" (e.g. make their own product less valuable) particularly when the device is paired with a cloud service.

The only protocol method would be to examine the IP address of the registrar and perform geolocation from there. If certain IP ranges were excluded by the vendor it would be relatively trivial to work around using either ip location masking or obtaining nonceless vouchers from acceptable locations.

[mcr]

... "although the MASA can be used to restrain the voucher, it can not be used to restrain the device"

[mcr]

reduces friction for authenticated direct customers, but does not change the situation for indirect (used, grey-market, etc.) customers.

[mcr]

"Privacy Considerations" section, discussed possible subsection "Used, Stolen or Grey Market equipment"... but MASA does not need to do such close tracker.
Does the protocol provide new opportunities for the vendor to insert themselves into the life-cycle of the device, but only in this protocol.
What about in the Trust Model section? Where is the right place to explain the tradeoffs of using this protocol, vs not.
Decide to put this into 8.0 section, to explain how to this protocol facilities complete transfer of the device to the owners' network, dis-engaging the vendor from the day-to-day operation of the device.

[mcr]

Archived-At: https://mailarchive.ietf.org/arch/msg/anima/ZbC3AfNBu4AdUo4AqEZmm6cu8VY

[mcr]

@pritikin I would like your review, and if you like it, merge it.