IETF Logo Mail Archive

Re: [Anima] about moving /.well-known/est/enrollstatus ??

"Fries, Steffen" <steffen.fries@siemens.com> Thu, 17 September 2020 18:22 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0DB13A0F12 for <anima@ietfa.amsl.com>; Thu, 17 Sep 2020 11:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMGNTzfefc8w for <anima@ietfa.amsl.com>; Thu, 17 Sep 2020 11:22:02 -0700 (PDT)
Received: from gw-eagle1.siemens.com (gw-eagle1.siemens.com [194.138.20.72]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1394F3A0F02 for <anima@ietf.org>; Thu, 17 Sep 2020 11:22:01 -0700 (PDT)
Received: from mail2.dc4ca.siemens.de (mail2.dc4ca.siemens.de [139.25.224.94]) by gw-eagle1.siemens.com (Postfix) with ESMTPS id 769734F002C; Thu, 17 Sep 2020 20:22:00 +0200 (CEST)
Received: from DEMCHDC8A0A.ad011.siemens.net (demchdc8a0a.ad011.siemens.net [139.25.226.106]) by mail2.dc4ca.siemens.de (Postfix) with ESMTPS id 4C4E415A020A5; Thu, 17 Sep 2020 20:21:56 +0200 (CEST)
Received: from DEMCHDC89XA.ad011.siemens.net (139.25.226.103) by DEMCHDC8A0A.ad011.siemens.net (139.25.226.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 17 Sep 2020 20:21:56 +0200
Received: from DEMCHDC89XA.ad011.siemens.net ([139.25.226.103]) by DEMCHDC89XA.ad011.siemens.net ([139.25.226.103]) with mapi id 15.01.2044.004; Thu, 17 Sep 2020 20:21:56 +0200
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] about moving /.well-known/est/enrollstatus ??
Thread-Index: AQHWjGL9mTk/i8l+eUOJ3EPg4lGhX6ltHd/Q
Content-Class:
Date: Thu, 17 Sep 2020 18:21:56 +0000
Message-ID: <770760586ca24a30a38d5b4820cacfa5@siemens.com>
References: <16833.1600285962@localhost>
In-Reply-To: <16833.1600285962@localhost>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-17T18:21:54Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=6afdc2bf-0ade-4a7b-befb-ad11cdf5ef53; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
x-originating-ip: [139.21.146.182]
x-tm-snts-smtp: CC9134F12ACE5E860BBADCF6F3F8CF142DCB2E380D15577192DD6477F4678B002000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/CCpwl0N8nD3FPEkl3a2c-Ngolhg>
Subject: Re: [Anima] about moving /.well-known/est/enrollstatus ??
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 18:22:04 -0000

Hi Michael,

Sorry for the late replay on this. There is probably one fits all answer for this. The reason is that the enrollment protocols are defined different in that respect. 
- EST does not provide it out of the box, this was the reason to have it in BRSKI
- CMP provides a certificate confirmation message (certConf).
- CMC provides a confirmation message with the Confirm Certificate Acceptance Control
- SCEP explicitly mentions the lack of the certificate confirmation message in the security consideration section
- ACME seems to not provide it either. 

Given that it would make sense to move it to /brski to make it independent from EST. 
Contrary, BRSKI-AE that would benefit from the /est to /brski change by making the enrollment protocol choice independent form the voucher exchange builds on authenticated self-contained objects (signature wrapped objects). These are currently supported by EST with fullcmc, CMP, and CMC. SCEP from my understanding does not support enrollment using a certificate from a different issuing CA. It supports reenrollment  using the existing certificate but not initial enrollment as the IDevID would be issued from a different CA. That was at least my understanding by reading section 2.3 of SCEP. 
Based on the assumption that CMP and CMC provide the signature wrapping without limitations and also support certificate confirmation messages, it seems to be only applicable to EST (simpleenroll or fullcmc). That would rather indicate to keep "/.well-known/est/enrollstatus" as is. 

Best regards
Steffen

> -----Original Message-----
> From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: Mittwoch, 16. September 2020 21:53
> To: anima@ietf.org
> Subject: [Anima] about moving /.well-known/est/enrollstatus ??
> 
> 
> One of the changes in the diff that I thought I had raised, but got no discussion
> was enrollstatus.
> 
> There are two telemetry status reports that BRSKI added .. "to EST".
> The first is the /.well-known/est/voucher_status. This is a report on whether the
> voucher was acceptable.  This is entirely RFC8366/BRSKI content, and is
> completely independant of the certificate enrollment protocol.  It should change
> to /.well-known/brski/voucher_status.
> 
> The second one, described in section 5.9.4 is about whether or not the
> certificate was enrolled correctly.   This provides feedback about whether or
> not the new certificate was retrieved and installed correctly.
> 
> It says to use the new certificate and report.
> It's not that interesting when there is success.
> 
> It's more interesting when there is a failure of some kind.
> As such, it is unclear to me if this is tied up in EST only, or whether this is really a
> BRSKI thing.
> It's not BRSKI/RFC8366 that failed, it's EST/CMP/SCEP/pixie-dust that failed.
> 
> It seems that moving it to /brski is acceptable, but it might be that it should
> remain in /est.  I am not steeped in the art of CMP or SCEP or ???, so I don't
> know if what we've done for EST will translate well.
> 
> I do not feel strongly either way, but in the diff I left a ?XXX because I didn't
> know.
> I am sorry to bring this up during the IETF last-call: I think that I just need some
> confirmation from CMP experts that we aren't creating something that is
> unimplementable.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
>

v2.23.0 | Report a Bug | By Email