Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt

Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 03 April 2020 19:11 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05B4C3A040C for <anima@ietfa.amsl.com>; Fri, 3 Apr 2020 12:11:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYVqT9INpDxg for <anima@ietfa.amsl.com>; Fri, 3 Apr 2020 12:11:07 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2120.outbound.protection.outlook.com [40.107.22.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A2973A040E for <anima@ietf.org>; Fri, 3 Apr 2020 12:11:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K/FcRRprIYNu+x+GPjWpgTYqnDJgEFkTEA6pQfRJ4JVeEO8ZG8kF8fj5jC3yiEK6YDBTIXXcrqjVjmzIl3jpJ1LZ44Lr49z1mqEMbqVPqfhkZT+T3DU+Mpc4xL8nhlPUFURKhFsau0UH3ajvjEjNb/b4B72sG3ZTQItGAkVT46hMq8DCrosNjbBaTG4yHPtkuuvo55b3fKIO/pzr6lImfuSUkEJKQusiiu5oOijtyW9IQRcH+qMFN+d2+mEI0qZJvWBZjZcT69NPKeCEnuAXZIDF/+6UAo6It1/UBCkqYs0xchFO0fKgHhAqJ5Md1apPFYKCQH6aIfoW471O1WP7fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EcQacH6zXbNqhyvbEpKEAupYXHRBGFJgw9WPfpwC+fc=; b=GMIZofzYGVFemQsJVdK/waP1eMfExPlbEzmlcBrjcQTW30wlLAgE7+6KnS3BzmwfPEISxBfeRwdsY03vxj4JROuTArIgReqGFCLs9gxDKbBy7m9S6s1uqaMKtVtUKbeXOlvW3aIUQprPpmryGoq4ESNlxbwdHT4jD16TwzxO8A0ERgmeVtA6ZUE139wGtOqVJlT6rb/yiwOo3K94m0cx/rqkuVR5sE8KK/rdeAAm2Ct8hA6I8dbBiKqR3DqypR+mBsTn8Vspi+2fufig68sXdK61+ZO6tNTvBYmwtJkzJyVcao2g+LH+S76xW+UTwEw+6btHtjXPuLND19hgRGq9gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EcQacH6zXbNqhyvbEpKEAupYXHRBGFJgw9WPfpwC+fc=; b=AQ/KYHI60FZZgy+rrRlVDXw1swk6spDbWHHsfHFkX17a81/jGOaJwN0bw3tLhIezPkpqb+KJ++o/pn+1kTPVT0NloNNzK4kuO4nlVLfRqAJ8rRirvxQd6yTexbfWrftqBJhBXW3K/De8lLg9EUHSwxJMn7PK9xqn6ZdM1HuaDOA=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0515.EURP190.PROD.OUTLOOK.COM (10.161.66.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.17; Fri, 3 Apr 2020 19:11:03 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2878.018; Fri, 3 Apr 2020 19:11:03 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt
Thread-Index: AQHWCSqcqTUWDSvXL0+BjspUpmOUYKhntWFg
Date: Fri, 3 Apr 2020 19:11:03 +0000
Message-ID: <AM5P190MB02758EC376F90508572AB99DFDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <158585811816.26641.249532267918234026@ietfa.amsl.com>
In-Reply-To: <158585811816.26641.249532267918234026@ietfa.amsl.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 762674fc-a8fe-4835-8f28-08d7d802c124
x-ms-traffictypediagnostic: AM5P190MB0515:
x-microsoft-antispam-prvs: <AM5P190MB05155C16297B5227A9BD90DDFDC70@AM5P190MB0515.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(376002)(39830400003)(136003)(396003)(346002)(76116006)(81156014)(186003)(2906002)(81166006)(53546011)(6506007)(966005)(9686003)(52536014)(8936002)(66574012)(66446008)(7696005)(110136005)(66556008)(66946007)(5660300002)(71200400001)(316002)(64756008)(66476007)(8676002)(33656002)(86362001)(508600001)(26005)(44832011)(55016002); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pI49aUw7iPryCWdZe+rRBwvol8IsOIzyk6xStNKeCThIfPMVwoFPzqEOv+jYaou/iTlhlTNXou2snNph1glb7moAUtCLTc+vNpYT1rtByo+5HdHURDgWQu2CIZSP3pHLfBf291xKp2p4iA8EdLk0k+XD9BCd+nLTcRCMAW7oYddv5SheBud4Ji8d3BdiidCZkQnEd2qLF3qAmm8tKhylaDYG8v8536wF9sfasx9HQ+Ps96ybJ2wKRGxSDjrKMqwDhMJM1qeNK+xYeT38j1S6GDuN7rclaW21t3wR3/FUppFJwuHjlTOP47xP6R6mUoEjkAGlfOjXB3ALNhMRMmmXHmp4sJSZFq4lhG2dU8lUX8b6FqMplY1IJvzIa864KrPV0bRQfzqrTMB/wcpcBPJq1xKjQtQLJCV7uhY1ZwU1Z8jjFAzLoUt8Ox9Eh/t3VpD1+mV/iEOrtkq3JnuUU6uxsWBoW27uIY8vvR5ijYEh+nVIGWf9pceIUVCmkeEIzVOE
x-ms-exchange-antispam-messagedata: /4gemz9Rt+P0hu6vLaIcQuNco5jR0B5UZHT5aa3KXqJzNrfDDG2JVlLRb0V2MNaP5YNG3siXBx300iWeZDz9rfVLNCvj1f2ePWXXj2Bv3ooT8tF5OPh11Ickxjvw0unJMjMWzLAAIoilqG2qUbMzdg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 762674fc-a8fe-4835-8f28-08d7d802c124
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 19:11:03.6998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QdXi3dEMzxHP3kPTPzGw4nYs4So4zKmR2dE9CUWJv3Gk3GHuf62ywhtFAA77fcSzvP6togUFRWmicK2y+VKCyGdWGt+4dHFlkkwO+Ldiz58=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0515
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/VliSBTE_qlJ4plsL0KvPHEmsLwU>
Subject: Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 19:11:14 -0000

Thanks Michael for this update, 

The new text looks good now. I was still wondering about the pg 12 requirement in RFC 8366 ; which amounts  to:
    The [domain certificate supplied to the pledge separately by the bootstrapping protocol] MUST have [pinned-domain-cert] somewhere in its chain of certificates.

It looks like the "domain certificate" here is then not meant as (1) the EE certificate that the EST server will hand to the Pledge later on (as I thought), but rather (2) the Registrar's certificate that is supplied to the Pledge in the initial handshake.
If one interprets it like (1) then BRSKI may violate the requirement; if one interprets it to be (2) then all is fine.

A few remaining nits found during reading:

"as an trust anchor" -> as a trust anchor
"how a the MASA"
"impementations" -> implementations
"identifies a Registrar by the "pinned-domain-cert" -> missing full stop (period) at end of sentence.
"described in [I-D.ietf-anima-autonomic-control-plane]" -> missing full stop (period) at end of sentence.

Best regards
Esko

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Thursday, April 2, 2020 22:09
To: i-d-announce@ietf.org
Cc: anima@ietf.org
Subject: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Autonomic Networking Integrated Model and Approach WG of the IETF.

        Title           : Bootstrapping Remote Secure Key Infrastructures (BRSKI)
        Authors         : Max Pritikin
                          Michael C. Richardson
                          Toerless Eckert
                          Michael H. Behringer
                          Kent Watsen
	Filename        : draft-ietf-anima-bootstrapping-keyinfra-40.txt
	Pages           : 122
	Date            : 2020-04-02

Abstract:
   This document specifies automated bootstrapping of an Autonomic
   Control Plane.  To do this a Secure Key Infrastructure is
   bootstrapped.  This is done using manufacturer-installed X.509
   certificates, in combination with a manufacturer's authorizing
   service, both online and offline.  We call this process the
   Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol.
   Bootstrapping a new device can occur using a routable address and a
   cloud service, or using only link-local connectivity, or on limited/
   disconnected networks.  Support for deployment models with less
   stringent security requirements is included.  Bootstrapping is
   complete when the cryptographic identity of the new key
   infrastructure is successfully deployed to the device.  The
   established secure connection can be used to deploy a locally issued
   certificate to the device as well.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-40
https://datatracker.ietf.org/doc/html/draft-ietf-anima-bootstrapping-keyinfra-40

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-bootstrapping-keyinfra-40


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima