Re: [Anima-bootstrap] AN Group Key

"Max Pritikin (pritikin)" <> Mon, 24 October 2016 17:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 014701295C2 for <>; Mon, 24 Oct 2016 10:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1Eb69mOieGYi for <>; Mon, 24 Oct 2016 10:33:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79DC4129464 for <>; Mon, 24 Oct 2016 10:33:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1613; q=dns/txt; s=iport; t=1477330383; x=1478539983; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Er11Z8w5sc/gCK4ostY2DTghV3D3kG+DhDIhl9EZb78=; b=Egx9Hm/Mqyn1hoih13cTl49akMaPbKD7a2ty0DyvJIaYaOguzYkifpMZ FIWZril+PzF7n2WZEmHkVgw4pEEEzhXOR7KXFqD/jFJ9C0C6PSwygCxVx v45bgpDH5QQbgI/tQ41sOdRwQQgdcfEbl8N3YJtxAIK3m6/PG5PBgTgIG 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.31,542,1473120000"; d="scan'208";a="337774393"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 Oct 2016 17:32:44 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u9OHWicg000664 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 24 Oct 2016 17:32:44 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 24 Oct 2016 12:32:43 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Mon, 24 Oct 2016 12:32:43 -0500
From: "Max Pritikin (pritikin)" <>
To: Brian E Carpenter <>
Thread-Topic: [Anima-bootstrap] AN Group Key
Thread-Index: AQHSLMNe9vv4wQdrcUeeGpc3Ass/AKC4M4uA
Date: Mon, 24 Oct 2016 17:32:43 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: anima-bootstrap <>
Subject: Re: [Anima-bootstrap] AN Group Key
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Oct 2016 17:33:05 -0000

BRSKI bootstraps a public key identity for the domain. It then rolls into a local certificate distribution but as currently noted in s5.7:

   The prior sections provide functionality for the New Entity to obtain
   a trust anchor representative of the Domain.  The following section
   describe using EST to obtain a locally issued PKI certificate.  The
   New Entity MAY perform alternative enrollment methods or proceed to
   use its IDevID credential indefinately, but those that leverage the
   discovered Registrar to proceed with certificate enrollment MUST
   implement the following EST choices.

The exact wording here could be adjusted. The point is that once the domain trust anchor is bootstrapped a mandatory to implement, or highly recommended interoperable approach, to identifying the device be implemented. 

One could branch off here into a group key method or could distribute the certs and use them to engage with a group key model. 

- max

> On Oct 22, 2016, at 5:21 PM, Brian E Carpenter <> wrote:
> This is perhaps a bit of a side track, but is there a way to leverage the
> BRSKI registrar to securely distribute a Group Key? If every node in an AN
> domain had the same Group Key, we could make GRASP multicast secure.
> (I never followed the MSEC work, but it looks mighty complex.)
> Regards
>   Brian Carpenter
> _______________________________________________
> Anima-bootstrap mailing list