IETF Logo Mail Archive

Re: [Anima] FW: New Version Notification for draft-friel-acme-integrations-01.txt

"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 05 July 2019 10:09 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B401200B5 for <anima@ietfa.amsl.com>; Fri, 5 Jul 2019 03:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=FxHFrSCx; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=UtBOc0w5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOZ7KWH_IhPZ for <anima@ietfa.amsl.com>; Fri, 5 Jul 2019 03:09:56 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337CC12009C for <anima@ietf.org>; Fri, 5 Jul 2019 03:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2458; q=dns/txt; s=iport; t=1562321396; x=1563530996; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=C2yKGoRFdnnyHGjqGJmupaN/8OT0xS+qCu/bILVM8uY=; b=FxHFrSCxkEAjF6eLz0CYcUc/12Iwv8UikgfhZvfDCeUqZHoXK8rCKEeT FOGooFefThigJNGZUGHjdbhXoDLCZiEZx0LSJ5SOtv0Be5G0epuBI1pSW a8zTn0E5BHLWvWzrmgKlnju81ftSaIaGsD9DGGAvUDMXPzM3xDnl4/f2Q A=;
IronPort-PHdr: 9a23:6hOotBcBQx5y8CES9gWIU9b3lGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/aCIgHclGfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AGAABYIR9d/49dJa1mGQEBAQEBAQEBAQEBAQcBAQEBAQGBUwQBAQEBAQsBgUNQA2pVIAQLKIdjA4RSiXiCW4lNjXmBLoEkA1QJAQEBDAEBJQgCAQGBS4J1AoIuIzQJDgEDAQEEAQECAQVtijcMhUoBAQEBAgESKAYBATUCAQsEAgEIEQQBAQEeECERHQgCBAENBQgagwGBagMODwECDJosAoE4iGCCI4J5AQEFgUZBgxANC4ISCYE0AYteF4FAP4ERRoJMPoIaRwIDAYFfgzqCJqoJQAkCgheGVok6hA6CLGyKPooijTCHP4FzjgkCBAIEBQIOAQEFgVA4gVhwFYMnCYI4N4M6hRSFP3KBKY1iAQE
X-IronPort-AV: E=Sophos;i="5.63,454,1557187200"; d="scan'208";a="589255863"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Jul 2019 10:09:54 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x65A9sCn022322 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 5 Jul 2019 10:09:54 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 5 Jul 2019 05:09:53 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 5 Jul 2019 06:09:52 -0400
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 5 Jul 2019 05:09:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xnbR7tf3ps5vLneq8rx5GFIvvISHfTwLkfn3hsVRlh8=; b=UtBOc0w5Tfhjau8+dc2KuWAK98jkfQdG7fJQ3fNI7fYLyzFFMY5msRE5D1gomrPQmJTX/MgxXhWEqwhCPR754taompFB8Dm8/L+rKeX52ffyvNh5zdO9jxEFr6bBs6iPtPvCJMEI2AZeG1Az9Jh+1NuzPNCpf5LepqVpLuJS9sQ=
Received: from SN6PR11MB3389.namprd11.prod.outlook.com (52.135.110.33) by SN6PR11MB3280.namprd11.prod.outlook.com (52.135.109.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.18; Fri, 5 Jul 2019 10:09:51 +0000
Received: from SN6PR11MB3389.namprd11.prod.outlook.com ([fe80::d8c6:4076:1bc5:a651]) by SN6PR11MB3389.namprd11.prod.outlook.com ([fe80::d8c6:4076:1bc5:a651%6]) with mapi id 15.20.2032.019; Fri, 5 Jul 2019 10:09:51 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
CC: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [Anima] FW: New Version Notification for draft-friel-acme-integrations-01.txt
Thread-Index: AQHVMQb4X6tqrYd/KEe6IqDPJ/uJ2Ka3rneAgAHMuQCAAlKfEA==
Date: Fri, 05 Jul 2019 10:09:51 +0000
Message-ID: <SN6PR11MB33893A66AA7AA2E0E68C49E5DBF50@SN6PR11MB3389.namprd11.prod.outlook.com>
References: <156209339375.23780.16389385862360970000.idtracker@ietfa.amsl.com> <DM6PR11MB3385A59B984127385DE49720DBF80@DM6PR11MB3385.namprd11.prod.outlook.com> <7216.1562192902@localhost>
In-Reply-To: <7216.1562192902@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1250:a17c:7d2f:424f:dab6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fa077c18-6b0a-42ee-64c4-08d70130eb70
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:SN6PR11MB3280;
x-ms-traffictypediagnostic: SN6PR11MB3280:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <SN6PR11MB32800BA9CBBF3B2D4842BFE8DBF50@SN6PR11MB3280.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008960E8EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(366004)(396003)(346002)(39860400002)(51444003)(189003)(199004)(13464003)(53546011)(6506007)(6116002)(81156014)(33656002)(86362001)(8676002)(55016002)(9686003)(6436002)(99286004)(11346002)(14454004)(6306002)(446003)(5660300002)(81166006)(53936002)(68736007)(76176011)(71190400001)(486006)(966005)(6246003)(102836004)(25786009)(2501003)(71200400001)(229853002)(8936002)(476003)(15650500001)(76116006)(74316002)(52536014)(7696005)(4326008)(2906002)(46003)(316002)(66946007)(66446008)(66476007)(14444005)(110136005)(305945005)(64756008)(186003)(73956011)(7736002)(478600001)(66556008)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:SN6PR11MB3280; H:SN6PR11MB3389.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: iB5Xz+LjJpa9hxQVfvqvgmytG6iVjHBbQMt5+IErBGb3J4fQvxsXpbiZfZfijkC4Q6QCfuH3LHESrtrniiFy4bn1wD+X/MU3HTAY/ZzccYeRHMcW2z40uGZCJevldjDUrh2wv21FC2kuLc8hJNpgJKG1Vk4emd1yFITFIXgs+pH4Q74kvkBi20v7EgJAXyz+rvCYJHrn7kKBPToEL2DebU/yoBxqynYn82Di19qikPGml79849IFjHs2dfOfP0S2he604BEQDNsJzaQtbGUiVg227ptL9V8SeOGeTsTEcCvzUk1BeNlhVnVPfkngYPT+dRzrYhtiVQ1ErEGo3z9VRJhkG5aLPgUKFsCXZYmft4GDkWj6PDH+E4K5ZeHY0jq+v2GbN+SefO+jtdSVvYUnjIWV+5aC7CvhNH8k+y1LLNQ=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fa077c18-6b0a-42ee-64c4-08d70130eb70
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2019 10:09:51.4455 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ofriel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB3280
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/4lQTzNBh2zrHUSZdM4Ld73zE5HU>
Subject: Re: [Anima] FW: New Version Notification for draft-friel-acme-integrations-01.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 10:09:59 -0000


-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: 03 July 2019 23:28
To: anima@ietf.org; Owen Friel (ofriel) <ofriel@cisco.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Subject: Re: [Anima] FW: New Version Notification for draft-friel-acme-integrations-01.txt


Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > This early draft
    > https://datatracker.ietf.org/doc/draft-friel-acme-integrations/ covers
    > how BRSKI could potentially be integrated with an ACME CA for cert
    > issuance.

I read it.
While it is certainly true that a BRSKI RA can use ACME to speak to a CA, I'm not actually sure what it means from a standards point of view.
[ofriel] Yes, this could maybe be Informational rather than std track. As currently written, there are no changes required to BRSKI, EST or ACME drafts, so it really is informational on how to stitch these things together. One of the interesting things is possisble use of ACME for subdomain certs, which the flows for EST, BRSKI and TEAP illustrate, as this is a nice signalling optimisation for scaling to large number of clients.

My code base does not connect the RA to LetsEncrypt, but rather uses LetsEncrypt to produce IDevIDs from a provisioning process.

I think that you have a problem in STEP 2 (section 3), and STEP 3 (section 4), STEP 3 (section 5).

In each place where you post a CSR, you omit the part where you get the CSRattributes.  At some point the pledge needs to learn about what the delegated domain is ("domain.com").
[ofriel] Sure, it doesn't include all the BRSKI bits. Its also left as a todo exactly how the client should determine its domain for inclusion in the CSR if it only has its IDevID to start with.

In section 4, the figures (which need to be numbered, btw), is labelled a Pledge, but since there is no BRSKI, it should "Client"
[ofriel] For sure, loads of minor nits in -01.


    > Related work is
    > https://datatracker.ietf.org/doc/draft-yusef-acme-3rd-party-device-attestation/,
    > which covers how ACME could be used to issue device certs, but does not
    > use BRSKI. We are currently discussing offline with Rifaat how we could
    > potentially integrate both approaches.

I'll read this.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email