New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security review issue 11: what if MASA refuses to provide a voucher #88
Comments
If the MASA refuses to issue a voucher then use of the BRSKI protocol flow to bootstrap the device does not work. There are a number of methods a vendor can use to "restrain commerce" (e.g. make their own product less valuable) particularly when the device is paired with a cloud service. The only protocol method would be to examine the IP address of the registrar and perform geolocation from there. If certain IP ranges were excluded by the vendor it would be relatively trivial to work around using either ip location masking or obtaining nonceless vouchers from acceptable locations. |
... "although the MASA can be used to restrain the voucher, it can not be used to restrain the device" |
reduces friction for authenticated direct customers, but does not change the situation for indirect (used, grey-market, etc.) customers. |
"Privacy Considerations" section, discussed possible subsection "Used, Stolen or Grey Market equipment"... but MASA does not need to do such close tracker. |
@pritikin I would like your review, and if you like it, merge it. |
or provides a wrong voucher? Can the MASA be used to restrain commerce
with specific countries? Is that a feature or a bug?
The text was updated successfully, but these errors were encountered: