Re: [Anima] changes in draft-ietf-anima-constrained-voucher-10.txt

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 02 March 2021 16:54 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19EC3A003F for <anima@ietfa.amsl.com>; Tue, 2 Mar 2021 08:54:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K83VJJwVw-tU for <anima@ietfa.amsl.com>; Tue, 2 Mar 2021 08:54:12 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2137.outbound.protection.outlook.com [40.107.20.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 929303A003D for <anima@ietf.org>; Tue, 2 Mar 2021 08:54:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J9zF4Bym5ItVmYRlHMUWbnMmflCEkjsm3AplMDeeAXmm9hSoRk6P14aFDv0wItmZXX4vChmyyzB5L1kA3f+CjcPXSYdqCYW5opijvzoIjTMjmOsZv3z9Q7k2rbyCmrZ3iOk/Ox4gE0PWGnmYUMH0NBuGirdgAd8mty9WEHOBjF0yCillpQqtUGZirSc+OlnftIipD8Gg+BQASGPxf0WTA15Q//My2AKMCBqCbzB4HWp2hw/w6gd3smntTDgOSEdKx/vqZYrCplSPE1abaddBYWTOPe1gD3pClpQ2gn3r5YrrMQN50UQHsoTk/lqwB6hyd6h1s3jVI8GH3hGJo6OdhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dd15f5rfSApYmjndtRSA+yboECHax3QUozBApf64Oi4=; b=bDrLg1UalHZXhEm8qkJFI3mLm6MISplZHTjhzkW+OMWN3vkvbUPl9sNtp9FKW6UOrnU8sHG9wsJ87WL/qPgu9TQ6KpEIFAvvWBL3xlGs7GlsjhKqePcvnvRvrCLBmNkP/ViGjhl3etXTjfLhIF18TnAlR43lWiOlXQVVsyUsB4HioaisoryC2r8x/+nU8cx/faVe77E9uvHWYpBvAALbylHkkSWEoy4H/Geg3Uv+rPD17kMw/vY0Q0bG1GnJBd+Ca4Ivms+Qk4z5ppu5kFtoiCwsBSCm3X+82iFsrLHadP1rFFrYxXFvKLohGqeKHDXFUq+EY/dFZaoOnxJRk0iHCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dd15f5rfSApYmjndtRSA+yboECHax3QUozBApf64Oi4=; b=SFC8bxkwGOutTAOiihIjVheDLnIySfoa8JjlGFYpQW+9Xn20qhJEl4c4aYKzJ5zjF6YlTx/QwIk6t657qzWr8tb33991lYE9s2XOxXKuCIJtw0DoRK5yEuna1luhkxMo6qSEIe/AFQePv6ldIyTws+BQEBhgzUZlSSimU3wWktU=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM4P190MB0148.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:63::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.22; Tue, 2 Mar 2021 16:54:08 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::6415:492c:7afa:f296]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::6415:492c:7afa:f296%5]) with mapi id 15.20.3890.028; Tue, 2 Mar 2021 16:54:08 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] changes in draft-ietf-anima-constrained-voucher-10.txt
Thread-Index: AQHXCJDopkcqLBAT00yNhJ3g9k6GNapw9dFQ
Date: Tue, 2 Mar 2021 16:54:08 +0000
Message-ID: <AM8P190MB0979AE6FB94F74ECB9ADC30AFD999@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <161393586348.14779.1562082460077183942@ietfa.amsl.com> <29120.1613939627@localhost>
In-Reply-To: <29120.1613939627@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3103:f500:5518:a31c:a5b6:8990]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a4b6a11b-651e-4c03-4c28-08d8dd9bcc29
x-ms-traffictypediagnostic: AM4P190MB0148:
x-ms-exchange-minimumurldomainage: github.com#4893
x-microsoft-antispam-prvs: <AM4P190MB01481FA03A3B09702DA67341FD999@AM4P190MB0148.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f5KDzNF4alinD6yFQRh2ay1PwlEx09tz6h95FAFgGfAFhCb74JsGP77kN+Sx1ui1cEafygyem0JqcHtBQyL8J4gMLCvXHNaFUNF2Jcz6u5H+t3MiORxFB/SaX4JeIyzi9uwop5Q05qOI74k6fZ+NawpTb+f9YxDmzUgY2fGWvFmMZ4TWYwBWVrJKxtbL6NX9S55vKS8pNJ/qXu0UMi12h7qrpCjiPin380R5Oqx1lDrDpxW7S1MfOYNC+ti2d082PReU4Z6mwTjXMH7zdX9ZiuZdqR15JyiaNj4DnX/93xiKhvjF2qd0HCbfAN3Yiv7FJ5GTiaZ2nK37oItLYTeM2YlfjSouw/6kwtO+qRvTDbNOaaqK35n0z+qyAzqjBN8+UJQW6wktVA8jWqehZr7cjYETdXkOvT2zJJ7iY0cy2rtfSl4gwaqqGxhMXV1xSk5L4glGIBj/eQPUJU6LcbG05XRKYVhof2tG8jWOftlD7doYAiMmxHHVD7oAJt2lSVCRl6SMTdsGzsKTWWa1x2oHpTKkNvUjaxOeZSWoH0wHLehZXtsTeVRysI8gyiTvk77Dztt1C2s3iDp79KhK3gZuQVo9UAUXZbqmg1lJU1bxcEM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(376002)(39830400003)(396003)(366004)(136003)(8676002)(86362001)(33656002)(6506007)(186003)(9686003)(2906002)(7696005)(110136005)(53546011)(316002)(55016002)(52536014)(8936002)(5660300002)(71200400001)(66574015)(66556008)(66476007)(44832011)(478600001)(76116006)(966005)(83380400001)(66446008)(64756008)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?YVc0SkMybHVDME1CcjlCOTQxMzZEbWpqY0hyU3lVSUp0MXJxVUNtTnk1U0dr?= =?utf-8?B?K3JOL0h5Q08zUjNDRkJhRVpXNURvQUlXLzNyTzd5UDY3OWY2VXJSQXJrcnJX?= =?utf-8?B?MEpEREIwOTU5cWpObzhoaDkxaGp1dUdVOXBGKzlzdU84c0VhMWJJSHJSM0l6?= =?utf-8?B?UDJWR2J4YURRQmFRTnN6UDNhQ1dmbG9Eb1Q4Vmt5NndMcFhOckpUM29Ia09m?= =?utf-8?B?N0FReUFvTXpteXVYbFBQbXk1R2k1OHdnVnEvUjdCbHZtbG9iSHVhaWxLci9H?= =?utf-8?B?NjNFRFdmcmM4ZTF5VWt2QjNNMU1GNFZVKy9KNVhuODN4VUlKa0w2S2FDc0lP?= =?utf-8?B?NGNxRVVXdTM2OTI4YnVLUmtIWjg1eTJVd1JSa0ZkbU5qOVk2N09lKzdGT0Zu?= =?utf-8?B?dlgwbTVHcldnOG9zS2JFRFk0TS9kOEllcEY2UHJyMDhsUUpqWitHNHZwMEsz?= =?utf-8?B?ODFsUXFxTHZ6azdDcEY5R3gxYkpCRTM2dXRXN3ljQ09talQxZmNjVlN6K0tk?= =?utf-8?B?NWxUM3lwVTd5d05wSmNxV28rRXJ4RjEycjhkSHAzU20vWkpOR2lBVzZrRExL?= =?utf-8?B?dUZzeFJPb0Y2Z3lnUlljTk4zcEl5S0VaQ0ZsK1FpdFM3SHFlc1Z1RkJqamxJ?= =?utf-8?B?TUtXVHRZUHowbm5UNVovRzBua0RLU0RIZjJjTHZrand0TlI0Z2pseEhrVFJK?= =?utf-8?B?VnAzQkVueEp5NGh4SVBNVzRtRVdRbGxpMWdSM0xuTTNtMWdZN29SSW1Cc09O?= =?utf-8?B?WHRXeldIM2YvM3h3UXpDZEtQaVJrcnZ2YnRWRVVTNUhZbGhnVzdyWWViOFlQ?= =?utf-8?B?bDk1Z3NIOVM3QU10MklVUS9oWDhiSjVkY0MrbldEdS9zcUNCSmc1QTBEL1Uz?= =?utf-8?B?Q2NMelkrZlNBd1NaaEhHWm44OHZWVkJVMzZOcmplakV2NUpSY3hIZ1lVS2ZC?= =?utf-8?B?NFkwTW5mdEZPcUtpNFVKNUlPZnJnb1hkbW1mNzlkdG4zeUdzRDNCcDVUQXZX?= =?utf-8?B?dHV2U3pTenlaMXBudUNMSFpCd0J6Umd6clFxRytqK3BITU9NWFR6TlFQVlAy?= =?utf-8?B?YklTUEc4Vit2dTVrblA4ME9IM2IweE91Q2ZKdUI4Wit4cWh5ZFNhcEpBTjlN?= =?utf-8?B?aUIwODZFYVcxbmpDY2JRZ3l2enoyT091WkhRUHh2MnRTaDY3M09NV3JqakIv?= =?utf-8?B?UEFkNFQ3YXZVVCtVOTVLUjFHN0pmanhZc3JkZW84cExCVXF1WHBxamx4aFNE?= =?utf-8?B?UUxNRkZaY2VEa3Y4Y3lwNGpPeEFzRFU3K0dkRzgzM2ZWUTR2MEI2YUhYOGRt?= =?utf-8?B?OHQ5SlRPTEpULzEvTTduZ2Fpd2gyNXRaMWpKUytla0NIeE52UnFtTGdXV2NM?= =?utf-8?B?RWFuRGRHSElCSnhDNkI5V1FSeVVKck5OZDl2NTZBSlRaaU03bXlldVJGMnBO?= =?utf-8?B?M3lLMEhwdmlaTEFqRHVpZjAwSDBjVFl4N1BoZS9SeWNINWlGMUdzK0daMVRm?= =?utf-8?B?b0psdzdhSXZxNno1T0lqQ04yMUh6SUdpZjFpaGU3Y1g2dGU5TlJwSHNnNzdD?= =?utf-8?B?Uk1venNTdTkyUUxrc2themhtSDloNHVoTmpwMjRYMnpibTA4OUVBdVJRTkN5?= =?utf-8?B?dGtHTzB5YURRVTl1TEpsTVc3blFJNUc0ZC9GUWVSVm9TUmFnY2ZmZ1JYVVJU?= =?utf-8?B?SlBjRjErUjQ2NkwzbFhtRWRqWGJWMDExbjNocllDeVUwTVdJK3FVQjczemU3?= =?utf-8?B?WGgrUlZwUEFYa2FWYU5qTTZTYWNOTXFSaWFnMGZwV3dJZm9YQXNYTlQyOTlY?= =?utf-8?B?UkxmbVF0bWV1eEVaUytEdityMFBQbEloam96bFQ2c1dEb3lkZ1Y5YS9uQ3NH?= =?utf-8?Q?EAaUMep1EUDLv?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a4b6a11b-651e-4c03-4c28-08d8dd9bcc29
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2021 16:54:08.6110 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W66uC5yJC4ztIJz4M8gkNIqrxaEvTGghMMi3Gr25W631rC4pM7FIy8efHDcF/Va52UD4z6Cbz6zPGS0ZVQDlwXxPfSBntMgg2cqnjlH3weg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0148
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/EqCnt7FnMR_3nbJHVFlUlOvVo54>
Subject: Re: [Anima] changes in draft-ietf-anima-constrained-voucher-10.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 16:54:15 -0000

Here some minor additional comments!

> 2. .............
>   We changed /crts from returning application/pkcs7-mime;smime-type=certs-only
>   to returning application/pkix-cert (for which we need a CoAP type code).

In fact a Registrar has to support at least the application/pkcs7-mime;smime-type=certs-only ; per draft-ietf-ace-coap-est-18. The type application/pkix-cert is OPTIONAL per draft-ietf-ace-coap-est-18. What we do in constrained-voucher-10 is clarify what is returned in case the client requests the application/pkix-cert type. In CoAP, the Accept Option can be used to request one of the two types.  So for this to work for constrained devices the Registrar MUST support both types; which is a possible update of draft-ietf-ace-coap-est-18 requirements that we can make in constrained-voucher-10. The CoAP Content-Format code (287) is already allocated in https://tools.ietf.org/html/draft-ietf-ace-coap-est-18#section-9.1 .

> 4. while we obligate the Registrar to support discovery via GET /.well-known/core?rt=brski*
>    we do not obligate the pledge to use that, and mandate that the /.well-known/brski/xx
>    targets are already supported by the Registrar.

In a next version of the draft we could somewhere include an explicit example of this path "/.well-known/brski/rv" being used for a Voucher Request. Since no such example was yet given in the draft.
Note that the current text still may have some inconsistencies, where one section talks about "/.well-known/est" where another specifies "/.well-known/brski".

Best regards
Esko

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Sunday, February 21, 2021 21:34
To: anima@ietf.org
Subject: [Anima] changes in draft-ietf-anima-constrained-voucher-10.txt


1. We have added Esko Dijk as an author.  Esko has been instrumental in
   getting this document focused and moving forward.  Thank you!

2. We reduced the number of mandatory exchanges, trying to optimize for
   common cases of small PKIs with common usage patterns.
   This makes the /crts optional in many cases.
   We changed /crts from returning application/pkcs7-mime;smime-type=certs-only
   to returning application/pkix-cert (for which we need a CoAP type code).

3. we removed the CoAP version of requestauditlog, as that is part of the
   BRSKI-MASA, (northbound) communication, which is always HTTPS, and is
   always non-constrained.

4. while we obligate the Registrar to support discovery via GET /.well-known/core?rt=brski*
   we do not obligate the pledge to use that, and mandate that the /.well-known/brski/xx
   targets are already supported by the Registrar.

5. We clarify how the desired pining by the MASA is to be signaled, and how
   it is to work for pinning of RPK.

6. We have excised all text relating to CMS signed CBOR.
   That involved returning the early allocation of CT=1.2.840.113549.1.9.16.1.46.

If you have not read the document recently, now would be a good time.
We have 17 open issues at https://github.com/anima-wg/constrained-voucher/issues
and we expect to close them in the next ~6 weeks.

I see in reviewing the diff that there is a mistake in figure 1, with the use
of "Int"ermediate CA. We have concluded on using the term "Sub"ordinate CA.
Figure 2 gets that right.

internet-drafts@ietf.org wrote:
    >         Title : Constrained Voucher Artifacts for Bootstrapping
    > Protocols Authors : Michael Richardson Peter van der Stok Panos
    > Kampanakis Esko Dijk Filename :
    > draft-ietf-anima-constrained-voucher-10.txt Pages : 50 Date :

    > Abstract: This document defines a protocol to securely assign a Pledge
    > to an owner and to enroll it into the owner's network.  The protocol
    > uses an artifact that is signed by the Pledge's manufacturer.  This
    > artifact is known as a "voucher".

...

    > A diff from the previous version is available at:
    > https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-constrained-voucher-10


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide