IETF Logo Mail Archive

Re: [6tisch] xxx-bootstrap

Göran Selander <goran.selander@ericsson.com> Tue, 06 December 2016 19:05 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FBD8129AE0 for <6tisch@ietfa.amsl.com>; Tue, 6 Dec 2016 11:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLwYVUzl2aN3 for <6tisch@ietfa.amsl.com>; Tue, 6 Dec 2016 11:05:04 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06BAF129A90 for <6tisch@ietf.org>; Tue, 6 Dec 2016 11:04:38 -0800 (PST)
X-AuditID: c1b4fb2d-26a859800000561e-95-58470bc4e280
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.183.24]) by (Symantec Mail Security) with SMTP id E4.52.22046.4CB07485; Tue, 6 Dec 2016 20:04:36 +0100 (CET)
Received: from ESESSMB303.ericsson.se ([169.254.3.128]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0319.002; Tue, 6 Dec 2016 20:03:41 +0100
From: Göran Selander <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, 6tisch <6tisch@ietf.org>
Thread-Topic: [6tisch] xxx-bootstrap
Thread-Index: AQHSSuDPU1xNoBfYBUWdkIQa1WBi/qDyKnSAgAkmswA=
Date: Tue, 06 Dec 2016 19:03:39 +0000
Message-ID: <D46CC86D.6E92A%goran.selander@ericsson.com>
References: <efb18853e63642bc4a996dc419cd1efb@xs4all.nl> <31466.1480551529@obiwan.sandelman.ca>
In-Reply-To: <31466.1480551529@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.0.161029
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <33BED076ACDA6D4DA596702F2E3A2D2D@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBIsWRmVeSWpSXmKPExsUyM2K7hO4RbvcIg1WTjC2W3e1jtni0fxWb Rc+hfnYHZo8lS34yebTM2cPscaJhO3sAcxSXTUpqTmZZapG+XQJXxss/GQXblCvudLWzNjAe UOpi5OSQEDCRmN9+nKWLkYtDSGAdo8S5y5eYIJzFjBK/Du5lAqliE3CReNDwCMwWEfCQmPVx BwuIzSxgK7HjyxZ2EFtYQFni5NXNbBA1KhK3p+9ihLCtJL40nWMFsVmA4isXLWQGsXkFLCTW PL8FZgsJJErMeboDrJ5TwFji58J+sJmMAmIS30+tYYLYJS5x68l8JoirBSSW7DnPDGGLSrx8 /A9svqiAnsTsKQ3sEHElicYlT4DiHEC9mhLrd+lDjLGWmPVoBSOErSgxpfshO8Q5ghInZz5h mcAoPgvJtlkI3bOQdM9C0j0LSfcCRtZVjKLFqcXFuelGxnqpRZnJxcX5eXp5qSWbGIHxd3DL b90djKtfOx5iFOBgVOLhLbjkFiHEmlhWXJl7iFGCg1lJhNcJGL1CvCmJlVWpRfnxRaU5qcWH GKU5WJTEec1W3g8XEkhPLEnNTk0tSC2CyTJxcEo1MNa1yZq9SJ0b11a7YNu5vh/sp69wGqnM 2xDwjqX/0YGy+Vm11npPVVQ+8holZUkxXryQ+K3k7JFsS2/uJb+/Rv3cfIJz2r71H+YdPzw5 t0Lz/JWUOoGzG4recnZOd9c/us5jzY7uPMu2T5cT6iV6ZwQ+cdzvrOXrF/L+fYbG3Pe2bzYv CgqzO6TEUpyRaKjFXFScCABcStzduwIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/fdPk4oSwI26Wo1tl3EqXof5eTQw>
Cc: "consultancy@vanderstok.org" <consultancy@vanderstok.org>
Subject: Re: [6tisch] xxx-bootstrap
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 19:05:11 -0000

Apologies for the previous empty mail, this is the mail I wanted to
comment on.

On 2016-12-01 01:18, "6tisch on behalf of Michael Richardson"
<6tisch-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:

>
>Hi, I haven't read the entire thread yet, but I wanted to pull out another
>email from a private thread about some ideas I had before I forgot.
>
>This would be the phase 1.  Now that I understand more about EDHOC,
>I think that the certificate exchange and EDHOC setup would occur
>at the GET /nonce phase.
>
>Peter, if this is what you have in mind, then let's develop one of the
>EST/CoAP drafts into saying this.
>
>====
>
>I am thinking about if we can come up with a mechanism that can be driven
>by
>either side, which uses the same protocol and message encodings.
>I had been thinking last night that CMS was getting in the way, but I
>think that actually that's probably not the case; we are going to use
>pkcs7/11 anyway, and if that's really the extent of it, then no big deal.
>
>I'm trying to find a way to merge this into netconf-keystore essentially,
>and
>that document is not really particular about the formats.
>
>I'm looking at draft-ietf-anima-bootstrapping-keyinfra-04 section 5.7,
>and EST section 4.
>
>I imagine that one can reverse the process in 6tisch, and we could POST
>From the JCE to client /cacerts, etc...
>
>So, if the straight EST process looks like:
>
>    new-node                     registrar
>         POST /requestaudittoken-->     [includes nonce]
>         <--- 200 OK + audit token-     [section 5.2]
>
>         GET /cacerts ----------->
>         <--- domain certificate--     (application/pkcs7-mime,
>                                        CMC Simple PKI RESPONSE)
>         GET /csrattrs ---------->
>         <--- app/csrattrs -------     [ASN as per 7030]
>
>         POST /simpleenroll------>     (PKCS#10 Cert Req)
>         <--- LDevID cert---------     (pkcs7)
>
>
>Then the JCE driven process should instead look like:
>
>    pledge                       JCE
>         <--- CoAP GET /nonce-----
>         ----- 200 OK, nonce ---->     [could be empty if nonce
>
>         <--- CoAP POST /voucher--     {audit token or ownership voucher}
>         ----- 200 OK------------>     [or 4xx or 5xx code! ]


In the interest of reducing round-trips, could anything of this be sent in
parallel with the key exchange?

Göran




>
>         <--- CoAP POST /cacerts--     [block-transfer]  [maybe not??]
>                                       (application/pkcs7-mime,
>                                        CMC Simple PKI RESPONSE)
>         ----200 OK-------------->
>
>         <--- CoAP POST /csrattrs-     [ASN as per 7030]
>         ----200 OK-------------->
>
>         <--- CoAP GET  /csr------
>         ----200 OK ---PKCS10 ----     [PKCS#10 Cert Req]
>
>         <--- CoAP POST /cert-----     [PKCS7 Certificate]
>         ----200 OK --------------
>
>Except that ideally, the above would be described in YANG with Kent's help
>in netconf-keystore.
>(Pascal, in our SoW #7, the above protocol would be Deliverable 3, btw)
>
>
>
>--
>Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>

v2.23.0 | Report a Bug | By Email