[Anima] FWD: ACME for devices side meeting
Toerless Eckert <tte@cs.fau.de> Wed, 24 July 2019 22:00 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95A61202EC; Wed, 24 Jul 2019 15:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 860uF0aZwDJk; Wed, 24 Jul 2019 15:00:20 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3B23120372; Wed, 24 Jul 2019 15:00:19 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 492FD54800E; Thu, 25 Jul 2019 00:00:15 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 3839A440041; Thu, 25 Jul 2019 00:00:15 +0200 (CEST)
Date: Thu, 25 Jul 2019 00:00:15 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: anima@ietf.org
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>
Message-ID: <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de>
References: <DM6PR11MB3385255D58A133B186AA547EDBC60@DM6PR11MB3385.namprd11.prod.outlook.com> <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/B3rnw1sLO1r9Dxm6-3qx82xTiwM>
Subject: [Anima] FWD: ACME for devices side meeting
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 22:00:22 -0000
Owen sent the following nice notes about the side meeting. Will comment separately. Bcc'ing the original recipients. On Wed, Jul 24, 2019 at 08:26:20PM +0000, Owen Friel (ofriel) wrote: > Minutes from today's meeting. > > General consensus that figuring out how to use ACME for issuance of device/client certs is a good idea > > There are (at least) three related drafts in this space > - draft-yusef-acme-3rd-party-device-attestation > - draft-friel-acme-integrations > - draft-moriarty-acme-client > > draft-moriarty-acme-client > - outlines several use cases for client and device certs > - as Kathleen could not make the meeting, we didn't discuss this in detail > > draft-yusef-acme-3rd-party-device-attestation and subsections of draft-friel-acme-integrations are trying to solve similar problems: > - leverage a cloud service to assist in ownership proofs for devices > - use ACME to issue LDevID certificates to devices > > draft-yusef-acme-3rd-party-device-attestation > - assumes devices have self-signed certs, not certs signed by a manufacturer private CA > - The BRSKI-ACME flow Rifaat presented uses a vendor default BRSKI registrar, and is a reasonable starting point for device's getting certs from ACME > - This flow is not currently documented in Rifaat's draft > - We can probably avoid the need for ACME to understand the vendor's JWT > > draft-friel-acme-integrations > - documents (partially) the BRSKI-ACME flow but uses a local domain registrar, not the vendor default registrar > > draft-ietf-anima-bootstrapping-keyinfra > - underspecifies how the MASA should handle Voucher Requests directly from the Pledge i.e. the Cloud Registrar use case > - Toerless suggests that this clarification could be a small standalone document > > No draft currently sufficiently specifies how the pledge/device should generate a CSR subject/SAN that will keep ACME happy > > The EST/BRSKI sections of draft-friel-acme-integrations, and draft-yusef-acme-3rd-party-device-attestation, probably need to be combined by a new draft > - if the device is going to use a self-signed cert, then how the EST RA validates device identity needs to be specified as this is a change from BRSKI > > The ACME subdomain use case needs to be split out from draft-friel-acme-integrations into a separate small document >
- [Anima] FWD: ACME for devices side meeting Toerless Eckert
- [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME… Toerless Eckert
- [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Brian E Carpenter