Re: [Anima-bootstrap] [Anima] [Ace] Constrained Environment PKI enrollment

"Max Pritikin (pritikin)" <pritikin@cisco.com> Mon, 20 June 2016 17:25 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2FA12D839; Mon, 20 Jun 2016 10:25:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.947
X-Spam-Level:
X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V50z7WsFTRxl; Mon, 20 Jun 2016 10:25:40 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E35512D838; Mon, 20 Jun 2016 10:25:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2650; q=dns/txt; s=iport; t=1466443540; x=1467653140; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=hF4iKYZm1fgaXotTnw3uubQPoB6BopIJ4vgf3MGdHaM=; b=gYOfmWooGZpVHVvJdf07prFpFkfNWyDLCo4+hPrm43PLNzo3r0iU86vX xUmSXULNAwZ1SK0/P8RLx2dvl9v5duVQItu1k7CJfRDWy9YKIP393HrtH pnICF6jdOE6wlXDmtVlLiiQDP2qUhqmtWUo6ADpm2ph8nWi0MN87wj4aW w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ABAgAPJmhX/5pdJa1dgz5WfQa6bYF6F?= =?us-ascii?q?wuCPoM3AoE0OBQBAQEBAQEBZSeESwEBAQMBAQEBawsFCwIBCBguJwslAgQOBYg?= =?us-ascii?q?WAw8IDsEeAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWIHgiCToJDgWcWgyyCLwWYd?= =?us-ascii?q?gGGBYgkCoFfh3+FOo92AR42g3BuiUl/AQEB?=
X-IronPort-AV: E=Sophos;i="5.26,499,1459814400"; d="scan'208";a="120601083"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Jun 2016 17:25:39 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id u5KHPdF7004967 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 Jun 2016 17:25:39 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 20 Jun 2016 12:25:38 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.009; Mon, 20 Jun 2016 12:25:38 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [Anima-bootstrap] [Anima] [Ace] Constrained Environment PKI enrollment
Thread-Index: AQHRysc5Ayl2YWl+EUKJLE6BGfIPoZ/y78kA
Date: Mon, 20 Jun 2016 17:25:38 +0000
Message-ID: <EA2780D4-45FE-4453-8552-6ED661E1D29B@cisco.com>
References: <CAN9CcB8x8WE-UfX=JxQb2amoDo2MKsCk2GKdXh9-70eJTiM8Gw@mail.gmail.com> <CAF2hCbbtW4rbaB0ksrRdLFgvYZXRMc2bgE=93T5pf_Cdt2S+gg@mail.gmail.com> <14558.1465237865@obiwan.sandelman.ca> <57679E36.1060806@gmx.net>
In-Reply-To: <57679E36.1060806@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <A9523FE62A8C244FA9583A35A1822DE2@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/TuDhjYAWPqNybNrJlQBdd3z_kK8>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Shahid Raza <aazaan@gmail.com>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>, "ace@ietf.org" <ace@ietf.org>, Julien Vermillard <jvermillard@gmail.com>, Samuel Erdtman <samuel@erdtman.se>, "anima@ietf.org" <anima@ietf.org>
Subject: Re: [Anima-bootstrap] [Anima] [Ace] Constrained Environment PKI enrollment
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 17:25:42 -0000

> On Jun 20, 2016, at 1:41 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
> Michael,
> 
> it depends what "bootstrapping" means.
> 
> We have a key distribution mechanism in the OAuth-ACE document (which is
> relevant to this specific discussion thread).
> 
> Ciao
> Hannes

Hannes, are referencing this statement?
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-02

   This framework supports a wide variety of communication security
   mechanisms between the ACE entities, such as client, AS, and RS.  We
   assume that the client has been registered (also called enrolled or
   onboarded) to an AS using a mechanism defined outside the scope of
   this document.  In practice, various techniques for onboarding have
   been used, such as factory-based provisioning or the use of
   commissioning tools.  Regardless of the onboarding technique, this
   registration procedure implies that the client and the AS share
   credentials, and configuration parameters.  These credentials are
   used to mutually authenticate each other and to protect messages
   exchanged between the client and the AS.

My working definition of bootstrapping is exactly the things that are declared out-of-scope in the ace-oauth-authz doc. 

If you meant a different doc could you provide a more specific reference? Thanks,

- max

> 
> On 06/06/2016 08:31 PM, Michael Richardson wrote:
>> 
>> Samuel Erdtman <samuel@erdtman.se> wrote:
>>> The company I previously worked for where looking into adopting EST for
>>> this purpose, the benefit of EST compared to cmp or scep was that it
>>> defined the process for server side generated keys, which could be
>>> beneficial if key generation would be to cumbersome for the device or
>>> if you don't trust the
>>> device to generate a "good" key.
>> 
>> Hi, these are definitely important considerations.
>> I would invite you to read the ANIMA bootstrap keying documents, and
>> possibly join the design team.
>> At this point I believe the bootstrap is out of scope for ACE.
>> 
>> We are considering whether to use OSCOAP for 6tisch though.
>> 
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>> -= IPv6 IoT consulting =-
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Anima mailing list
>> Anima@ietf.org
>> https://www.ietf.org/mailman/listinfo/anima
>> 
> 
> _______________________________________________
> Anima-bootstrap mailing list
> Anima-bootstrap@ietf.org
> https://www.ietf.org/mailman/listinfo/anima-bootstrap