Re: [Anima] Feedback on constrained-voucher example certificates (in Github / -09 )

Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 20 November 2020 08:52 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404FC3A1B01 for <anima@ietfa.amsl.com>; Fri, 20 Nov 2020 00:52:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKz1QE_x5Vo1 for <anima@ietfa.amsl.com>; Fri, 20 Nov 2020 00:52:22 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60106.outbound.protection.outlook.com [40.107.6.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 788BF3A1AE3 for <anima@ietf.org>; Fri, 20 Nov 2020 00:52:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RC8qlnOGv1OLl89pLlaUxsAiZnEJcCNCcrXv7PYFPgN2Wxang5HV/gF6LWPhTwusOETGAbujvgocks8zBfbDUL1WAYLNaWXr2BMqs5AMJl9O5LxL4gMEhpX9W+BpeD1EYJ+Ia52+gHaBkyz4NPJTcdT8On1HXCn5niKU6gBeS/WAjkIt2EaIpmvCbyygqKnR+U1eyEytuprFJPRNLHU8NOEa3gR5LKgK2kNwhO0Q9f/VB7TnWG1NeEkzKS81+GwKt1IoB98LySoIQ0dz4HyjRmRk+CW8ie140yT9hQT9fhxMFaUp5xfDWuUtvv4QH6dLW+Lo8XcwADsTFSsUQ4kR7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v43YdbqhQlBgRfFqvHgxDnmtfgB9nB4LUamdqJquzfI=; b=gDppgkZjSNaRiIvRH64o4YbSE0hdseiUHH1BwZIV8F8KZKSnd2K0AokWagxWIREYIwmX22WjPvBHli69hNL6s/25nlPeGKSXYAn5pWOpAOzd49bYXK6Wu/UIDJ7onx8wWzSn5YBr5cBLxRJXDuuAK+P1wWr2RGcpEA96ZijLtnQID2za0M7aviFLlA5X9cZdNXUdo/nEJPOVhoDuNnEWCrhuSVpQXGhKUjMwCxrkXdem1G1EVTbjnXNjQr9tYCNWVMsAMv2FrEJ97JEA/kqq71S9WZxkARjylGo9fU2GF0fUgNcOwHqJYS7+/gLYTDzzUFvbIdbz8QIJT30KLVe56g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v43YdbqhQlBgRfFqvHgxDnmtfgB9nB4LUamdqJquzfI=; b=o7e4Jp01ilHKznicBYZvpcMVAq6OgAEs1BQ3yj2QL4zNQSZ2TL7jVG+gmM+W0aVdeirf58h3tpmYC5jxM6ZixCooQLZ8RJdOHvYEhvYIAHv4EdQw2dGdUuIdmW6/IGH/G838LsB200gqh7NzMLFtxzOJ1VLIFx4JTb5fhyLzzzE=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM4P190MB0004.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:65::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.25; Fri, 20 Nov 2020 08:52:17 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa%5]) with mapi id 15.20.3589.021; Fri, 20 Nov 2020 08:52:17 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "consultancy@vanderstok.org" <consultancy@vanderstok.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Panos Kampanakis (pkampana" <pkampana@cisco.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Feedback on constrained-voucher example certificates (in Github / -09 )
Thread-Index: Ada8yTuRMneYZouPQ2WsDETw+5FtUQA74sQwAFfBd4AAAIQPIA==
Date: Fri, 20 Nov 2020 08:52:17 +0000
Message-ID: <AM8P190MB097993175019AF03EEEA4D8EFDFF0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <AM8P190MB0979397BCEE4561869E4CD5DFDE20@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM> <AM8P190MB0979B33C6FA2A3A1AECF4B8DFDE10@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM> <db64d1baa8589d2a11c8396d21b5626f@bbhmail.nl>
In-Reply-To: <db64d1baa8589d2a11c8396d21b5626f@bbhmail.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vanderstok.org; dkim=none (message not signed) header.d=none;vanderstok.org; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3103:f000:1d8c:6f5a:b02f:55b0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61531016-868b-4205-c573-08d88d319577
x-ms-traffictypediagnostic: AM4P190MB0004:
x-microsoft-antispam-prvs: <AM4P190MB00048D267728675EB7E6D7BFFDFF0@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Gb8XKvhzmZ0QloSIydvpl8cslrM+m1DUX6Pu2pLyD32BJK4w6lr06xa9MFKAFTn6wOgrd+muSJOleyGCxdgZxq3F8mivRzW9LX94r1PLLDoU2BcC7sUnBrIgBpOmHFtBgu5Iranh5SSW3NwnOpMghEt44L8DYJBpOWmMfqd8KJIohyZgwLW5/88A2kyHgbrAzAlN7UtkwKmW645DcDsS7cMItp5ngnamnoxMiZdSY42H76jbEThLOjwT/aYd6JHbBFXjmCsnjpSnaUVVVDA0FFXXHgQlxv1IE2YNe782xYOx1eBxnxsOZHsog5VA1nTTCPyWAiwWWeMUY1raS4cVNAPQ8Z+kthKrQMtiOM3dOo+nlMGICxDaTz62g1wlxUxwY9ggUif1Y8Gb3pyxhAghOQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(39830400003)(366004)(376002)(136003)(346002)(6506007)(66446008)(76116006)(71200400001)(33656002)(966005)(478600001)(44832011)(66476007)(64756008)(2906002)(54906003)(4326008)(66946007)(9686003)(66556008)(316002)(53546011)(186003)(55016002)(5660300002)(7696005)(166002)(52536014)(83380400001)(21615005)(8676002)(4001150100001)(86362001)(6916009)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: MHOxDUYbDnGqFT4Fi1tJ43JySX8XVarr0HZPG2nOa9KDYU2nOBRmwD+1oCQ+uG3eZqQKzKXFBaehyw8M5XoLnFlVt3uFVPCBjnfgnIcn/7sDDUVXLh2WAhS7mIqMfR2x3EFlx1/XDD5+Wj8e6NLUHvkEHo0Q2fi0cilqsXvab3QC+XwYc24HR4EOT04czMPNpDDiF6Xz0y8DWTxO6R/O2D7QlBD2EdvrW3QCYH+aSgB/4VecbomEVlzvkgIi9V3oFC2oqkU3MIFL8W88a8iKdgWaXHVXrsJhKRKeC6haAVYFHVKne1z4fOIcNXLhmAHsbgN8slyTcvkgmjXAvPBRIFX7OYN6ZycoKrvRauPBAWQFFUAFObkKL4g8j6Cuk3VGkRCSmQUE8ExFLF2jU9T/bCwST2LoRref6YiqMDOz05TNKu4p4SuHVXWahBQLh+G86Dx9yzBjHhhg/DTnUWqz2MqngbK9tQhg+qzYM/5v8ydQVHGJXikUm/TM/+tpnyH6qBq/0+zytJaeZgZyaovWBnvWhfS69dKqzeHqc7WwmOKLipgyk4LR812QCiZ9BjeeMEKAR9IzIELNeQiAiDofQTdlD6dljsdqXCRR4G+6irHnmZIpjplQYe7mm60h5j5Puh9PC3wtxgUxfeYQoquyybekwbFl+xmLgIPcV9ZP8VvzcrZDTw+qasR06ZKaRIxoudmxAg2YMCNxfApqGiTi5Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM8P190MB097993175019AF03EEEA4D8EFDFF0AM8P190MB0979EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 61531016-868b-4205-c573-08d88d319577
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2020 08:52:17.2278 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kKG5gq37kaD2/giSTMCeE904vaX/9kkW/JIy9g8QR9VdtZGT3j38UAwnsfhu6WbIWwexw/p8D+LZWMAzepaviqXGfe72PZHZNkJZPwAkGb4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0004
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/0J0PoA_0zIdZ3x5FPjOJlxbVVb4>
Subject: Re: [Anima] Feedback on constrained-voucher example certificates (in Github / -09 )
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 08:52:32 -0000

Thanks Peter,

FYI I use the following x509v3 extensions file in OpenSSL to set the ‘RA’ flag in EKU:

authorityKeyIdentifier=keyid
subjectKeyIdentifier=hash
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.28, serverAuth, clientAuth

# see https://tools.ietf.org/html/rfc6402#section-2.10
# see https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
# see http://oidref.com/1.3.6.1.5.5.7.3.28


Esko

From: Peter van der Stok <stokcons@bbhmail.nl>
Sent: Friday, November 20, 2020 09:33
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: consultancy@vanderstok.org; Michael Richardson <mcr+ietf@sandelman.ca>ca>; Panos Kampanakis (pkampana <pkampana@cisco.com>om>; anima@ietf.org
Subject: Re: [Anima] Feedback on constrained-voucher example certificates (in Github / -09 )

Hi Esko,

Many thanks. Just what I need for comfort.

I did change my openssl config files as you suggested. The EKU has been added for the masa and the registrar.
But its value.......? it is now TLS web server

The life time of the masa certificate is 1000 days; that will do in my opinion for an example.
The life time of the registrar is unchanged 1 year.

Attributes of pledge certificate have been removed.

Concerning .txt or .hex extensions; I will leave them as they are for the moment.

In a few days I will put them in the github. But that necessitates also some editing of the openssl output to conform to 72 character limits.

Cheerio,

peter


Esko Dijk schreef op 2020-11-18 15:50:


PS one more remark on the Registrar certificate:  per BRSKI, the Registrar must have the id-kp-cmcRA extension in its certificate to make it a Registration Authority (RA). As defined in https://tools.ietf.org/html/rfc6402#section-2.10.

I did not see this in the certificate.  In principle, the Pledge could reject the Registrar as not-valid EST server for this reason (per RFC 7030) and the MASA will reject the Registrar (per BRSKI).



Esko



From: Esko Dijk
Sent: Tuesday, November 17, 2020 11:12
To: 'peter van der Stok' <stokcons@xs4all.nl<mailto:stokcons@xs4all.nl>>; Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>; Panos Kampanakis (pkampana <pkampana@cisco.com<mailto:pkampana@cisco.com>>
Cc: anima@ietf.org<mailto:anima@ietf.org>
Subject: Feedback on constrained-voucher example certificates (in Github / -09 )



Hello Peter,



I did my review of the new example certificates in Github. Below my feedback. Because examples are used in the constrained-voucher draft Appendix C, I include all authors in this email.



pledge-cert.txt / pledge-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/pledge-cert.txt) :



  *   The X509v3 extension 'subjectKeyIdentifier' should not be included according to the 802.1AR-2009 spec section 7.2.6 (for IDevID/LDevID).  Reason is that this value in an EE certificate is never used for chain building; it's unnecessary bytes effectively.  Only CA certs do need this extension.
  *   The X509v3 extension 'keyUsage' is present, and is allowed per the 802.1AR-2009 spec section 7.2.13 , however looking at the 802.1AR text there it basically says restrictions of key usage shouldn't be necessary for an IDevID – it can be used for any purpose whether defined today or in the future. (Up to the year 9999 at least :-) )
BRSKI-45 also writes "therefore RECOMMENDS that no key usage restrictions be included" for IDevID.



masa-cert.txt / masa-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/masa-cert.txt) :

  *   the validity (1 year) seems a little short for a manufacturing root CA.  3, 5, 7, or 10 years I would expect to be more usual for such a CA.
  *   Of course a Pledge stores this root CA cert in its trust store for the entire device lifetime, and will keep using it during this lifetime. Even if that root CA cert expired and the Pledge has a realtime clock so it *could* verify expiry in principle. But it will not do that, because the cert is hardcoded in its trust store. So I'm not sure if the validity of it has any impact in practice; it seems not.
  *   Side note 1: the MASA will need to sign Vouchers with this root CA identity , for many years to come,  and in the meantime the root CA cert may expire and MASA may be given a renewed root CA cert that uses the same public/private keypair.  The latter – using same keypair - ensures that 'older' Pledges can still recognize the signer and so accept these newer Vouchers. So the MASA's root CA cert validity period will impact how often the cert needs to be renewed – all the time using the same pub/private keypair – and that seems to be all.
  *   Side note 2: one can also have a MASA signing the Vouchers using an expired root CA cert/identity.  The Registrar and the Pledges won't mind.
  *   Side note 3: another easy way out of this is to give the MASA root CA certificate also a very long / infinite lifetime just like the IDevID.



registrar-cert.txt / registrar-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/registrar-cert.txt)

  *   (Looks ok)



pledge-to-regis.txt  (https://github.com/anima-wg/constrained-voucher/blob/master/examples/pledge-to-regis.txt)

  *   Looks like this should be a .hex file! Not .txt.
  *   (May consider a filename like 'pledge-to-regis.cbor.hex' to indicate it is hex-format CBOR binary)
  *   Similar comment for the other 'x-to-y' .txt files.
  *   I will review the contents of these files later on!



Best regards

Esko





IoTconsultancy.nl  |  Email/Teams: esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>





_______________________________________________
Anima mailing list
Anima@ietf.org<mailto:Anima@ietf.org>
https://www.ietf.org/mailman/listinfo/anima