[Acme] ACME integrations with BRSKI and the cmcRA EKU
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 04 December 2020 20:33 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89C433A0FBD; Fri, 4 Dec 2020 12:33:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0DleDaZdIc4; Fri, 4 Dec 2020 12:33:09 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF993A0BB1; Fri, 4 Dec 2020 12:33:07 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id B87A7389C1; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 63B-3cV-Dm3g; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 24E9B389BE; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1A5BB1FB; Fri, 4 Dec 2020 15:33:06 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org, acme@ietf.org, iot-onboarding@ietf.org, iotops@ietf.org, lamps@ietf.org
cc: "Max Pritikin (pritikin)" <pritikin@cisco.com>
In-Reply-To: <CY4PR11MB1685A60B58D9CB1269978B5ADBE10@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <5633.1585770340@localhost> <AM5P190MB027524F2D1530746DD48C4DDFDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <13227.1586052088@localhost> <AM5P190MB0275BA7298686DBADD31F0A3FDC20@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <14837.1586479192@localhost> <AM5P190MB027501C1759C042E54C40137FDD40@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CY4PR11MB1685181D4456431F05071D05DBE90@CY4PR11MB1685.namprd11.prod.outlook.com> <23785.1605650162@localhost> <CY4PR11MB1685A60B58D9CB1269978B5ADBE10@CY4PR11MB1685.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 04 Dec 2020 15:33:06 -0500
Message-ID: <26304.1607113986@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/qNhaou3h8wTgsfqfEOErFPI7K7s>
Subject: [Acme] ACME integrations with BRSKI and the cmcRA EKU
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 20:33:12 -0000
Please excuse the long intro. Due to the cross-post, I want to make sure that everyone has the right context. draft-ietf-acme-integrations proposes some best practices on how to use an ACME certification authority like LetsEncrypt with an onboarding protocol like BRSKI (draft-ietf-anima-bootstrapping-keyinfra) BRSKI is based upon RFC7030 -- Enrollment over Secure Transport. (One of three methods the IETF has, including CMP and now SCEP) A "burden" of using BRSKI is that there are two (possibly private) PKIs: one run my the manufacturer, and one run by (or for) the owner. { draft-richardson-t2trg-idevid-considerations and draft-richardson-anima-masa-considerations is about the manufacturer PKI } BRSKI is essentially the authorized replacement of a device's manufacturer identity with a local identity. This protocol (and others like it) are critical to having true ownership of devices. The ACME integration document lightens some of the burden of having the operator run PKI in smaller environments. It does not remove the necessicity of having some kind of "home base" which will manage the enrollment. The converged 6tisch/BRSKI term for this is JRC, R being for Registrar. RFC7030 defines the cmcRA EKU. The Registrar's EE certificate is supposed to have this bit set. This is an indication that the Certification Authority has effectively authorized that Registrar as legitimate. If not for this bit, then a peer in the same CA could claim to be a Registrar, and then could (re-)enroll entities into a different CA. For the Autonomic Control Plane (ACP/ANIMA) use of BRSKI, this would be a problem, and draft-ietf-anima-autonomic-control-plane section 6.2.5 discusses this. The ACP determines where the edges of the domain are by looking for nodes that share the same CA. Homenet participants will remember that determining the perimiter of the (home) domain was a problem. Now, if a "public" CA is used via ACME, such as LetsEncrypt, then the edge-of-domain checks become meaningless. This is likely not a problem for many of the IoT uses of BRSKI that would benefit from draft-ietf-acme-integrations, as they don't need/want to form an ACP. A Registrar that uses RFC8555 to talk to it's CA could have three different kinds of anchors: 1) it could use an RFC8555/ACME EE certificate that it obtained for itself. In that case, the cmcRA bit is most likely not set. 2) it could have a self-signed EE certificate, where the cmcRA bit could in fact be set. {Would it have any real meaning?} 3) it could use a raw-public-key. The RFC8366 voucher system can cope with of these three things. BRSKI does not require that the Registrar have a publically validatable EE certificate. (nor does it forbid it) Note that MASA can in fact evaluate these things! The question whether there might be some rules that I haven't thought about. One thing that occurs to me that a pledge which *can* form an ACP, probably should *not* if the cmcRA bit is not set. Or perhaps, the MASA should do this evaluation, and should a TBD attribute in the voucher. One thought that I had was whether ACME/8555 uses like envisioned in draft-friel-acme-subdomains-03 could/should allow the entity requesting authorization for a subdomain to request an EE certificate for the apex of that zone with some bit set. Would some kind of qualified cmcRA EKU make sense? ofriel> Is this pretty much true for both self-signed and private-CA signed ofriel> registrar certs? The pinned-domain-cert in the voucher could be EE or ofriel> CA cert, and in either case it’s the MASA that tells the pledge to ofriel> trust it. As long as the cert (EE or CA) is added to the trust store ofriel> of the pledge, you would need different pledge logic to check '(if RA ofriel> cert == self-signed then ignore cmcRA) else (if RA cert == EE cert ofriel> then check cmcRA) which seems clunky. ofriel> And as I believe you cannot get cmcRA from a public CA today, we ofriel> don’t even have the halfway house of getting the RA EE cert manually ofriel> from a public CA with the cmcRA EKU set, but automating the bluk ofriel> pledge certs via ACME. ofriel> Seems like mixing two sort of orthogonal things - subdomains and cmcRA.. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] ACME integrations with BRSKI and cmcRA bit Michael Richardson
- Re: [Acme] ACME integrations with BRSKI and cmcRA… Esko Dijk
- [Acme] ACME integrations with BRSKI and the cmcRA… Michael Richardson
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Esko Dijk
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Deb Cooley
- Re: [Acme] [Anima] ACME integrations with BRSKI a… Michael Richardson