Add profile that sign-only disable default.

Send Proposed text for Part 2 to Taskforce:
SignOnly rules:

OPC UA Security is affected by network infrastructure because certain IP level attacks are only possible on networks that have not been configured to resist these attacks. For example, if a network is known and under the control of one of the parties involved in the OPC UA communication, then SecureChannels without encryption may be used. Conversely, if the network, such the public Internet, is not under control of the of one of the parties involved in the OPC UA communication then encryption should be used.

The types of attacks that need to be considered when developing a threat model include ARP poisoning, spanning tree (SPT) and other IP layer man-in-the-middle attacks. Possible mitigations for these attacks may include network hardware specific configurations for ethernet switches such as static ARP tables. Using encryption with SecureChannels provides strong protection against negative consequences of these types of attacks no matter what the network infrastructure exists. Session hijacking is one possible negative consequence when SecureChannels without encryption are used without appropriate network level protections.

If you're already fine with the text and we need no discussion, please let me know via eMail. Because in this case I could tell the Security WG to continue and they don't need to wait for our next meeting.

Answer from Jens Cordt:
Part 2 section 4.4 states “OPC UA specifies features that are intended so that conformant OPC UA Applications can meet the security requirements that are expected to be made by sites where they will be deployed.”

This means that the requirements for protection against ARP/STP attacks must be explicitly included as necessary features, in addition to the proposed note (at least somewhere in part 2).

Section 4.3.5 names message alteration as a threat. Section 5.1.5 names the signature as a countermeasure. This is not consistent with the proposal. The proposal excludes “IP-level man-in-the-middle” attacks. However, I am not aware of any other relevant attacks for the manipulation of messages on the communication path.

This is exacerbated by the fact that 5.1.1 mentions “SignOnly” for mitigating all threats except ‘eavesdropping’ and “server profiling”. The incidental restriction that the network must be protected against ARP poisoning, spanning tree (SPT) and other IP layer man-in-the-middle attacks does not fit in with this.

However, the strongest argument against this simple solution is section 6.18 Zero trust environments. It states “OPC UA, with its built-in security capabilities, is a very good fit for a zero trust environment.” This does not justify the restrictions mentioned.