Re: [Anima-bootstrap] section 5.1 -- redirection

"Max Pritikin (pritikin)" <> Mon, 17 October 2016 22:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43CD112943F for <>; Mon, 17 Oct 2016 15:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4G_oxKDwzt97 for <>; Mon, 17 Oct 2016 15:00:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B14512947C for <>; Mon, 17 Oct 2016 15:00:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2430; q=dns/txt; s=iport; t=1476741632; x=1477951232; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ujZ91BFHElbahesEpTgKobp5vaRMa+4Pc65K5VlAOuQ=; b=EWP6w7nPfR54C7Z2wKIb5q7oRkCD/Fo0g1U7YQpRCoU3HwRVJNiT+8dr 9vS1qx41DAVeGHdzH3LilaPccuD+WZ5tIFvnevjps+BMLYBrir8x3EZ7F pwgBRPCGv5rU1Lq4NkzOW732sYpyEJdxvOmkN5s1jwMB3aF3+LDuuOlq9 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.31,358,1473120000"; d="scan'208";a="336742186"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Oct 2016 22:00:24 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u9HM0OgK030049 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 17 Oct 2016 22:00:24 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 17 Oct 2016 17:00:19 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Mon, 17 Oct 2016 17:00:19 -0500
From: "Max Pritikin (pritikin)" <>
To: Michael Richardson <>
Thread-Topic: [Anima-bootstrap] section 5.1 -- redirection
Thread-Index: AQHSKHz22l7b3DIF90W6zIPNiD6lZ6CthoqA
Date: Mon, 17 Oct 2016 22:00:19 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: anima-bootstrap <>
Subject: Re: [Anima-bootstrap] section 5.1 -- redirection
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Oct 2016 22:00:34 -0000

> On Oct 17, 2016, at 7:47 AM, Michael Richardson <> wrote:
> Max, I'm doing the minutes, and I'm trying to explain the confusion we had
> over the various objects by connecting to the real text, and I came across this.
> Section 5.1 includes the text:
>   As indicated in EST [RFC7030] the bootstrapping server can redirect
>   the client to an alternate server.  If the New Entity authenticated
>   the Registrar using the well known URI method then the New Entity
>   MUST follow the redirect automatically and authenticate the new
>   Registrar against the redirect URI provided.  If the New Entity had
>   not yet authenticated the Registrar because it was discovered and
>   was not a known-to-be-valid URI then the new Registrar must be
>   authenticated using one of the two autonomic methods described in
>   this document.  Similarly the Registar MAY respond with an HTTP 202
>   ("the request has been accepted for processing, but the processing
>   has not been completed") as described in EST [RFC7030] section 4.2.3.
> I'm trying to understand how/when the New Entity would authenticate the
> registrar using the well known URI.  Is this for some form of mitigation,
> where the new entity does not (can not) do all of the proxy steps and a human
> helps via craft console?  Or is this part of the rekey state machine?

Including a well known URI as the final discovery attempt allows the client state machine and code base to support a model where it is booted on an unsecured (unknown) network where nothing local responds to discovery attempts. This use case support any home or small-business style device that might use a cloud management model. 

The redirect is an implied case by using HTTP and, for EST, we were asked to indicate what the appropriate behavior would be. Here the same idea applies *plus* note that this allows an inversion of the proxy model for the above use case. The device reaches out to a cloud service first and gets redirected to a local service. 

- max

> --
> Michael Richardson <>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> _______________________________________________
> Anima-bootstrap mailing list