Skip to main content

Shepherd writeup
draft-richardson-mud-qrcode

draft-richardson-mud-qrcode has been presented to the ISE for
publication as an Informational RFC on the Independent Stream.

==Purpose==

This document details a protocol to load Manufacturer Usage Description
definitions via QR codes affixed to the product or its packaging for
devices which have no integrated MUD support.

The document is published to inform the Internet community of this 
mechanism, to allow interoperability. and to serve as a basis of
standards work if there is interest.

== History==

This document was initially brought to the ISE in December 2020 at
revision -00. The author was of the opinion that the work would not be
considered as in scope by the IETF.

After discussions with the OPSAWG chairs, and Eliot Lear (as a MUD
expert), Michael tried to interest the working group in the document.
He also, at the suggestion of the OPSAWG chairs, approached IoTOps.
There was no supportive response (although no opposition), so the
work moved back to the ISE.

==Non-IETF Work==

Asides form the normal Independent Stream boilerplate that will be added
when published as an RFC, Section 2 of this document observes that this
is not an IETF Standards Track publication.

==Security Considerations==

Security concerns around social engineering or physical tampering
attracted a lot of comment in reviews.

Section 7 (Privacy) and Section 8 (Security) make some attempts at
discussing these and other issues, observing that (ultimately) the
referenced URL needs to be signed and verified, and that the presence
of a QR code on a product or its packaging means nothing of itself.

==IANA==

The document makes no request for IANA action.

==Reviews==

As well as reviewing the document himself, the ISE commissioned reviews
from Eliot Lear, Jamie Jimenez (IoTDir), Joel Jaegli (OPSDir), and Marco
Tiloca. 

The reviews led to a number of updates and discussions.  The issues of
social engineering and tampering remained concerns of the reviewers, but
they were unable to suggest resolutions beyond what the text already
says.

Details of the reviews can be retrieved on request.
Back