IETF Logo Mail Archive

Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 06 August 2019 14:37 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C3F120224; Tue, 6 Aug 2019 07:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jaS3wYX8; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=cQyAG7Yu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jhw51zh19E3d; Tue, 6 Aug 2019 07:37:51 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D6F51201F2; Tue, 6 Aug 2019 07:37:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14730; q=dns/txt; s=iport; t=1565102266; x=1566311866; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=2P+Xn56Xzn2gbJgc+MV1x4dY6qLoHN8XghIsvyQXD50=; b=jaS3wYX8AUxedqBdtf2lW39AvWlUG1uFSrVz2qTBjpFnT8TOCTKDz/cO HXcj38hRywuaTX1wOX3KCcLCcDoT2SGwgF5ddFLnaYO/pakc54I+gG+7x Jpy6RA9wUUG6j+DJU03bcC9R/qgqu77Zd0mtJ59zzaysKDaKBvuokQ4AA 8=;
IronPort-PHdr: 9a23:VxLSgh/vhTg47/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcmLE0z2KNbhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CNAACgj0ld/4gNJK1mHAEBAQQBAQcEAQGBUwcBAQsBgRUvJCwDbVUgBAsXEwqEFINHA4RShl1Mgg+JWYkrhFeBLoEkA1QJAQEBDAEBHw4CAQGEPwIXgicjNAkOAQQBAQQBAQIBBm2FJwyFSgEBAQEDEhEKEwEBOA8CAQgRBAEBKAMCAgIfERQJCAIEARIIEweDAYEdTQMdAQIMoF4CgTiIYHGBMoJ6AQEFhQ0NC4ITAwaBNAGLYheBQD+BEUaCHi4+ghpHAoFjKwmCVTKCJowigmiFBpZcQAkCghyGXIlOhBKYLIQaiS+HWYF4jiECBAIEBQIOAQEFgVA4gVhwFYMngkI3gzqKU3KBKYwKAYEgAQE
X-IronPort-AV: E=Sophos;i="5.64,353,1559520000"; d="scan'208,217";a="305663094"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Aug 2019 14:37:45 +0000
Received: from XCH-ALN-018.cisco.com (xch-aln-018.cisco.com [173.36.7.28]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x76EbjVI001641 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 6 Aug 2019 14:37:45 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-018.cisco.com (173.36.7.28) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 6 Aug 2019 09:37:44 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 6 Aug 2019 09:37:43 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 6 Aug 2019 09:37:43 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jvaNtj4NZgEMN+1LZvN1uhG6fzxhCX2lzl9s/zBZBW0845Vy34cGzqLcX70txoym+i/RiqhkQESfYE9nPHVgSByCr0XkeW1stuDrYvjnlZOZxJLlh90It/eLuFYEVujyfuULgShwJIvMxAFCSQm7cXTSm+ELsQIAMa5sVz2YY2r5VTyYOARCmcsTo63cVgbDpbqZWeI9u7158d/OKM0PtarsEgE73jRolfHr3q4WMvwjrWY4ofbgsqPFhKh/4JZW0IIDYwX3J9ZAIcuj9JP9vllRm2RtIHiHR4UAQRvekIVs/2CTBSk5TdiQ8fJX7HTABknXYHnxkSPQcbewz6EZZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2P+Xn56Xzn2gbJgc+MV1x4dY6qLoHN8XghIsvyQXD50=; b=GWSJQu88Sf+rZui2GvywV/duU559BKnDc6y1NyzIp1XgjL7fNvzmoyaF8V804zzk/3pBgRX03B3+PhmD8WZmzkv6xCrjbPG9iONmcxi4OYpykhR921VpksoJtN6Y5iKgKRRRMhybIdk4IHHitUgMxjTJuto791/AO8Q/Sl6Kh5XmSnjqogXl+S6hFrJGmCMNjUvHLb5KMR7B75nux6mK08Jw+ri4SdAH254DSPrsjuuS8ICb3a4tqrqt17i2cGwh1uJBbBPsMDrzyE1aLCdpGI+1nBAo/fB5geTMyf6eaAjS8sEms/PxMQ7GXCgB36Smw68hCl1UKwqSnYBxD62idA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2P+Xn56Xzn2gbJgc+MV1x4dY6qLoHN8XghIsvyQXD50=; b=cQyAG7YuqKqeDsft3pykMAgFOIx2DwzAAezJPSTQ1IdPUbrB56efLG2NdZQHmK9DNqyg4I+tGcJ1DOvThRJFkpI1TUBRXwLczh0oJGkhe4kxFhB2LNjndrtmJZghbEZmrMaVQUPZvPZ685/jkyxB1PbNoU1/y4Hsmoi9aWRNhAQ=
Received: from DM6PR11MB3385.namprd11.prod.outlook.com (20.176.123.12) by DM6PR11MB2842.namprd11.prod.outlook.com (20.176.98.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Tue, 6 Aug 2019 14:37:41 +0000
Received: from DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::21d7:6788:7090:d0ae]) by DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::21d7:6788:7090:d0ae%7]) with mapi id 15.20.2115.005; Tue, 6 Aug 2019 14:37:41 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "anima@ietf.org" <anima@ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI
Thread-Index: AQHVSV2H3NB63QcBKUu8AXFFCSgthabuGrdwgAAbXGA=
Date: Tue, 06 Aug 2019 14:37:41 +0000
Message-ID: <DM6PR11MB33851A9026943624FC5BD478DBD50@DM6PR11MB3385.namprd11.prod.outlook.com>
References: <CAGL6epJRmAvDB4=M6RiQaC93wvy1XDgcbhOmuKUtqmEhBWC72w@mail.gmail.com> <DM6PR11MB3385FD834E826E25160B53AADBD50@DM6PR11MB3385.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB3385FD834E826E25160B53AADBD50@DM6PR11MB3385.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.24]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c272d1c9-e1f4-4bf0-98dd-08d71a7ba322
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB2842;
x-ms-traffictypediagnostic: DM6PR11MB2842:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR11MB2842D02B2A762BA7124E5730DBD50@DM6PR11MB2842.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(396003)(346002)(136003)(366004)(189003)(199004)(5024004)(25786009)(256004)(8936002)(74316002)(5660300002)(66946007)(66476007)(66556008)(64756008)(66446008)(478600001)(966005)(81166006)(81156014)(52536014)(33656002)(8676002)(7736002)(14454004)(2501003)(68736007)(26005)(7696005)(102836004)(6506007)(186003)(53546011)(76176011)(110136005)(316002)(2940100002)(606006)(99286004)(66066001)(6436002)(2201001)(229853002)(2906002)(55016002)(6246003)(6306002)(54896002)(9686003)(236005)(53936002)(11346002)(446003)(476003)(486006)(790700001)(3846002)(6116002)(76116006)(86362001)(71200400001)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB2842; H:DM6PR11MB3385.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Qx/5SOd/dqK43p6U/6hs/DGT1eArpPyV7sgyUEUB1oEL1kDP6lIp243sp/1HR4EAXO8ehXfoc5tgBs3ZCjaXWiVPoD97pX/vs1CNANr+WVQayjTNjegsUqY/rbA8abK0hrUOzgzcTn2QP4N/qfryveYChHF3OLHt7bMh4Ro6HJ6K9FMyuUMdLU3jMjkl1MFHMLDcK6nPL5ErzN3rE4o6S3P5+/H76AAV+MM0cI4qfFj7arLfK87KTHkGih6rlbfa9EB2c1uerlOvuezasrD/XcegAMnNOXlYtK6xxDCVWjOOW3gMId6UkLZ/cb0oHQfDBR2ZxvPeZZtxXHtkBU+udcX0dzoZ7LoT6J9Hx58GU8dWDS/RLo8gu9NJx7CcIOeaEudACC4axqaIi+5/AD2gI9g/8/wpKWSYqam7c+d/Tlc=
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB33851A9026943624FC5BD478DBD50DM6PR11MB3385namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c272d1c9-e1f4-4bf0-98dd-08d71a7ba322
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 14:37:41.4858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ofriel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2842
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.28, xch-aln-018.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/B1CxKm4PPHfpBDY5PAPH4V1g1hA>
Subject: Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 14:37:53 -0000

FYI, Its up on github now:

https://github.com/upros/brski-cloud


From: Anima <anima-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
Sent: 06 August 2019 14:05
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>; anima@ietf.org; iot-onboarding@ietf.org
Subject: Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

Hi guys,

After the meeting and from corridor conversations with Toerless, I had actually already started on such a draft.

What I have started so far is attached. Its not on a public repo yet, but will put it there. You are already named on it Rifaat, happy to add you too Michael and you can help figure out some of the open redirect options outlined in it ☺

My high level thoughts on this were to keep the ACME specifics out of the draft, and use the draft to define the cloud RA behaviour, and the pledge behaviour when interacting with the cloud RA, and the various cert, CA, TLS, redirect, etc. details. The fact that the RA (whether cloud or local) *may* use ACME to talk to the CA is transparent to the pledge.

I was thinking that the ACME specifics could be covered in a different draft based on merging draft-yusef-acme-3rd-party-device-attestation and draft-friel-acme-integrations, but leave the BRSKI clarifications/specifics in this one.

Thoughts?
Owen




From: Iot-onboarding <iot-onboarding-bounces@ietf.org<mailto:iot-onboarding-bounces@ietf.org>> On Behalf Of Rifaat Shekh-Yusef
Sent: 02 August 2019 19:09
To: anima@ietf.org<mailto:anima@ietf.org>; iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org>
Subject: [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

All,

During the last IETF meeting in Montreal we had a side meeting to discuss the
deployment automation of ACME issued certificates to devices, and the potential
use of the BRSKI mechanism to help with this. It was clear from the discussion
that BRSKI can be used to help address this use case, and that further discussion is
needed to define the needed enhancements to BRSKI.

The current BRSKI mechanism only briefly discusses the Cloud Registrar option in
section 2.7, which could be used to help address this use case.

Michael Richardson and I had another meeting over lunch yesterday to further
discuss this and we decided to work on a new draft to describe the issue and
define a solution.

Because of vacations and other commitments, we will try to publish the first
version of the draft early October.

Regards,
 Rifaat & Michael

v2.23.0 | Report a Bug | By Email