[Anima] My comments about draft-richardson-anima-registrar-considerations-02:

"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Fri, 28 February 2020 06:42 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B42903A1165 for <anima@ietfa.amsl.com>; Thu, 27 Feb 2020 22:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GDlpwJfNYlZI for <anima@ietfa.amsl.com>; Thu, 27 Feb 2020 22:42:16 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071273A1163 for <anima@ietf.org>; Thu, 27 Feb 2020 22:42:16 -0800 (PST)
Received: from lhreml704-cah.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id ACE3F71221F5EB33E5EC for <anima@ietf.org>; Fri, 28 Feb 2020 06:42:14 +0000 (GMT)
Received: from lhreml722-chm.china.huawei.com ( by lhreml704-cah.china.huawei.com ( with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 28 Feb 2020 06:42:13 +0000
Received: from lhreml722-chm.china.huawei.com ( by lhreml722-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 28 Feb 2020 06:42:14 +0000
Received: from DGGEMM404-HUB.china.huawei.com ( by lhreml722-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Fri, 28 Feb 2020 06:42:13 +0000
Received: from DGGEMM531-MBS.china.huawei.com ([]) by DGGEMM404-HUB.china.huawei.com ([]) with mapi id 14.03.0439.000; Fri, 28 Feb 2020 14:42:08 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: My comments about draft-richardson-anima-registrar-considerations-02:
Thread-Index: AdXuAghu59oxbKLhQCWlmRxOrngQHQ==
Date: Fri, 28 Feb 2020 06:42:07 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F13EC88B67@DGGEMM531-MBS.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F13EC88B67DGGEMM531MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/5jGWMxXSxtYTOxyVAYgfICv6inY>
Subject: [Anima] My comments about draft-richardson-anima-registrar-considerations-02:
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 06:42:18 -0000

Hi Michael,
This draft is useful for helping guy to get valuable guidance of deploying BRSKI Registrar entity, please see my current comments as below:

Similarily to the other document, let me put your comments into an email.

Again, many boxes were empty, so I don't know if I missed some thoughts.

pg 6:

   with CoAP/EDHOC, then a

   plain CoAP interface is used, and the security (EDHOC and OSCORE)

   lives above CoAP. For CoAP/DTLS (CoAPS) then there is DTLS layer

   below the CoAP layer.


   The first sentence can cover the last sentence.

pg 6:

   The Pledge Inteface does not require a public IP address, nor does it

   have have to run on port 443.


   use its link-local ipv6 address?how about port?

pg 6:

   Outside of the ACP context, running the Pledge interface on an IP

   address that has a FQDN that resolves to that IP address (if only

   internally), and operating it on port 443 may have operational



   this paragraph is confusing, please reword

pg 7:

   if the Registrar will also be providing for

   renewal of certificates using EST, then it SHOULD announce itself

   inside the ACP using GRASP. Unless made impossible due to loading

   concerns, it is RECOMMENDED that all Registrar instances offer

   certificate renewal services in this fashion.


   announce itself as the EST server?

pg 10:

   Incidental keys for internal operations,

   and for the BRSKI-EST server certificate can be done with this single

   intermediate CA.


   ? - I guess the question is, what are "incidental keys"

pg 12:

   The presentation tier

   MUST accept all Client Certificates, many of which might it might not

   have anchors for.


   ? - I guess that more explanation is required.

pg 13:

   In addition to hosting a PKI root, the Registrar needs several other

   key pairs. They are:


   It's not clear about what is the PKI root for? for MASA?

pg 15:

   The certificate used to sign the voucher-request MUST be the same as

   the one that is used for the TLS Server Connection. This implies

   that the signed voucher-request MUST be constructed on the same

   machine that terminates the BRSKI-EST MASA connection.


   NIT: BRSKI-EST MASA connection?


This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!