Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt
Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 03 April 2020 19:11 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05B4C3A040C for <anima@ietfa.amsl.com>; Fri, 3 Apr 2020 12:11:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYVqT9INpDxg for <anima@ietfa.amsl.com>; Fri, 3 Apr 2020 12:11:07 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2120.outbound.protection.outlook.com [40.107.22.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A2973A040E for <anima@ietf.org>; Fri, 3 Apr 2020 12:11:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K/FcRRprIYNu+x+GPjWpgTYqnDJgEFkTEA6pQfRJ4JVeEO8ZG8kF8fj5jC3yiEK6YDBTIXXcrqjVjmzIl3jpJ1LZ44Lr49z1mqEMbqVPqfhkZT+T3DU+Mpc4xL8nhlPUFURKhFsau0UH3ajvjEjNb/b4B72sG3ZTQItGAkVT46hMq8DCrosNjbBaTG4yHPtkuuvo55b3fKIO/pzr6lImfuSUkEJKQusiiu5oOijtyW9IQRcH+qMFN+d2+mEI0qZJvWBZjZcT69NPKeCEnuAXZIDF/+6UAo6It1/UBCkqYs0xchFO0fKgHhAqJ5Md1apPFYKCQH6aIfoW471O1WP7fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EcQacH6zXbNqhyvbEpKEAupYXHRBGFJgw9WPfpwC+fc=; b=GMIZofzYGVFemQsJVdK/waP1eMfExPlbEzmlcBrjcQTW30wlLAgE7+6KnS3BzmwfPEISxBfeRwdsY03vxj4JROuTArIgReqGFCLs9gxDKbBy7m9S6s1uqaMKtVtUKbeXOlvW3aIUQprPpmryGoq4ESNlxbwdHT4jD16TwzxO8A0ERgmeVtA6ZUE139wGtOqVJlT6rb/yiwOo3K94m0cx/rqkuVR5sE8KK/rdeAAm2Ct8hA6I8dbBiKqR3DqypR+mBsTn8Vspi+2fufig68sXdK61+ZO6tNTvBYmwtJkzJyVcao2g+LH+S76xW+UTwEw+6btHtjXPuLND19hgRGq9gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EcQacH6zXbNqhyvbEpKEAupYXHRBGFJgw9WPfpwC+fc=; b=AQ/KYHI60FZZgy+rrRlVDXw1swk6spDbWHHsfHFkX17a81/jGOaJwN0bw3tLhIezPkpqb+KJ++o/pn+1kTPVT0NloNNzK4kuO4nlVLfRqAJ8rRirvxQd6yTexbfWrftqBJhBXW3K/De8lLg9EUHSwxJMn7PK9xqn6ZdM1HuaDOA=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0515.EURP190.PROD.OUTLOOK.COM (10.161.66.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.17; Fri, 3 Apr 2020 19:11:03 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2878.018; Fri, 3 Apr 2020 19:11:03 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt
Thread-Index: AQHWCSqcqTUWDSvXL0+BjspUpmOUYKhntWFg
Date: Fri, 03 Apr 2020 19:11:03 +0000
Message-ID: <AM5P190MB02758EC376F90508572AB99DFDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <158585811816.26641.249532267918234026@ietfa.amsl.com>
In-Reply-To: <158585811816.26641.249532267918234026@ietfa.amsl.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 762674fc-a8fe-4835-8f28-08d7d802c124
x-ms-traffictypediagnostic: AM5P190MB0515:
x-microsoft-antispam-prvs: <AM5P190MB05155C16297B5227A9BD90DDFDC70@AM5P190MB0515.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(376002)(39830400003)(136003)(396003)(346002)(76116006)(81156014)(186003)(2906002)(81166006)(53546011)(6506007)(966005)(9686003)(52536014)(8936002)(66574012)(66446008)(7696005)(110136005)(66556008)(66946007)(5660300002)(71200400001)(316002)(64756008)(66476007)(8676002)(33656002)(86362001)(508600001)(26005)(44832011)(55016002); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pI49aUw7iPryCWdZe+rRBwvol8IsOIzyk6xStNKeCThIfPMVwoFPzqEOv+jYaou/iTlhlTNXou2snNph1glb7moAUtCLTc+vNpYT1rtByo+5HdHURDgWQu2CIZSP3pHLfBf291xKp2p4iA8EdLk0k+XD9BCd+nLTcRCMAW7oYddv5SheBud4Ji8d3BdiidCZkQnEd2qLF3qAmm8tKhylaDYG8v8536wF9sfasx9HQ+Ps96ybJ2wKRGxSDjrKMqwDhMJM1qeNK+xYeT38j1S6GDuN7rclaW21t3wR3/FUppFJwuHjlTOP47xP6R6mUoEjkAGlfOjXB3ALNhMRMmmXHmp4sJSZFq4lhG2dU8lUX8b6FqMplY1IJvzIa864KrPV0bRQfzqrTMB/wcpcBPJq1xKjQtQLJCV7uhY1ZwU1Z8jjFAzLoUt8Ox9Eh/t3VpD1+mV/iEOrtkq3JnuUU6uxsWBoW27uIY8vvR5ijYEh+nVIGWf9pceIUVCmkeEIzVOE
x-ms-exchange-antispam-messagedata: /4gemz9Rt+P0hu6vLaIcQuNco5jR0B5UZHT5aa3KXqJzNrfDDG2JVlLRb0V2MNaP5YNG3siXBx300iWeZDz9rfVLNCvj1f2ePWXXj2Bv3ooT8tF5OPh11Ickxjvw0unJMjMWzLAAIoilqG2qUbMzdg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 762674fc-a8fe-4835-8f28-08d7d802c124
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 19:11:03.6998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QdXi3dEMzxHP3kPTPzGw4nYs4So4zKmR2dE9CUWJv3Gk3GHuf62ywhtFAA77fcSzvP6togUFRWmicK2y+VKCyGdWGt+4dHFlkkwO+Ldiz58=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0515
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/VliSBTE_qlJ4plsL0KvPHEmsLwU>
Subject: Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 19:11:14 -0000
Thanks Michael for this update, The new text looks good now. I was still wondering about the pg 12 requirement in RFC 8366 ; which amounts to: The [domain certificate supplied to the pledge separately by the bootstrapping protocol] MUST have [pinned-domain-cert] somewhere in its chain of certificates. It looks like the "domain certificate" here is then not meant as (1) the EE certificate that the EST server will hand to the Pledge later on (as I thought), but rather (2) the Registrar's certificate that is supplied to the Pledge in the initial handshake. If one interprets it like (1) then BRSKI may violate the requirement; if one interprets it to be (2) then all is fine. A few remaining nits found during reading: "as an trust anchor" -> as a trust anchor "how a the MASA" "impementations" -> implementations "identifies a Registrar by the "pinned-domain-cert" -> missing full stop (period) at end of sentence. "described in [I-D.ietf-anima-autonomic-control-plane]" -> missing full stop (period) at end of sentence. Best regards Esko -----Original Message----- From: Anima <anima-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org Sent: Thursday, April 2, 2020 22:09 To: i-d-announce@ietf.org Cc: anima@ietf.org Subject: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-40.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Autonomic Networking Integrated Model and Approach WG of the IETF. Title : Bootstrapping Remote Secure Key Infrastructures (BRSKI) Authors : Max Pritikin Michael C. Richardson Toerless Eckert Michael H. Behringer Kent Watsen Filename : draft-ietf-anima-bootstrapping-keyinfra-40.txt Pages : 122 Date : 2020-04-02 Abstract: This document specifies automated bootstrapping of an Autonomic Control Plane. To do this a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur using a routable address and a cloud service, or using only link-local connectivity, or on limited/ disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-40 https://datatracker.ietf.org/doc/html/draft-ietf-anima-bootstrapping-keyinfra-40 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-bootstrapping-keyinfra-40 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
- [Anima] I-D Action: draft-ietf-anima-bootstrappin… internet-drafts
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Esko Dijk
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Michael Richardson
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Esko Dijk