IETF Logo Mail Archive

Re: [Anima] [Ace] Proposing document draft-amsuess-ace-brski-ace-00

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 23 July 2023 04:48 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ECDAC15108B; Sat, 22 Jul 2023 21:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUd2431J2vUn; Sat, 22 Jul 2023 21:48:47 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D30C4C14CE30; Sat, 22 Jul 2023 21:48:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 6368A3898C; Sun, 23 Jul 2023 00:48:38 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id k9q98cckeHeh; Sun, 23 Jul 2023 00:48:37 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 39E663898B; Sun, 23 Jul 2023 00:48:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1690087717; bh=ELHD5EfRB6N3m2VdQxxdbhmzgqjniv3zXSr9ykjVFxA=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=Q/nOPmAZi9BKVYQlZRrHmaAWJD5rZ6AT1NzUdWtVztujvWcBJNOx1wnoVWH2S98b3 W/DmPEB5RTf8D8PvwY6aq9aZX7zvAvLp/eIUc0HIm4CeXx24hUjvolNMsZEpTIRrB+ OthTOZNY/enl9N0Odssa8JDlTQqu2AbHxCAmY7g593QokP6MdQhfTAhfe7o4p9kwIK urEAlnN30aJGasXqipoJp39nwLiQV1g799ObF1PKcRJUKh4HJ2Mc0jQZysSYkbFf4w FGy7vS7lqpVG6sSSYcQz9icpyAfslPD1ZPk6PdIdznjDQiHLmBfHpn7lD3TLqyK4SC Lvl+Gc9NPCHHg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 21AD4202; Sun, 23 Jul 2023 00:48:37 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian =?us-ascii?B?PT9pc28tODg1OS0xP1E/QW1z PUZDc3M/PQ==?= <christian@amsuess.com>
cc: ace@ietf.org, anima@ietf.org
In-Reply-To: <ZLqEM/PyTVz5egPu@hephaistos.amsuess.com>
References: <ZK8TLhCiiR/lR1Bc@hephaistos.amsuess.com> <25968.1689198750@localhost> <ZLlQEeeDhjSFgi5B@hephaistos.amsuess.com> <23437.1689878109@localhost> <ZLqEM/PyTVz5egPu@hephaistos.amsuess.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 23 Jul 2023 00:48:37 -0400
Message-ID: <19181.1690087717@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/D6Lfz3Le30nhFQb1jf1EcvAOo_s>
Subject: Re: [Anima] [Ace] Proposing document draft-amsuess-ace-brski-ace-00
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2023 04:48:51 -0000

Christian =?iso-8859-1?Q?Ams=FCss?= <christian@amsuess.com> wrote:
    > On Thu, Jul 20, 2023 at 02:35:09PM -0400, Michael Richardson wrote:
    >> So draft-ietf-anima-constrained-voucher, has some optimizations that
    >> can sometimes let the pledge skip the /crts, but why is that
    >> interaction so expensive?  Note that in lake-authz, the voucher isn't
    >> actually sent, rather just the signature on what we expected to see in
    >> the voucher.... so extensions to the voucher would be difficult to do.

    > My impression was that this was not just an optimization that saves an
    > initial request, but that the voucher (in all its augmentation that it
    > gets when the registrar turns the PVR into an RVR) could serve as the
    > one way the credentials are provisioned through. Packing everything

There are some things which quite reasonably could go into the
PVR/RVR+voucher.   One example is remote attestation: the pledge is the
Attester, the Registrar is the RP, and the MASA is the Verifier. This makes
sense because the manufacturer has all the golden values (the endorsements).

    > So in a sketch, we'd do just as in authz+CoJP, and in the msg_3 request
    > (or even a later regular OSCORE request if we use CoJP too) ask the
    > registrar for the relevant AS data.

Yes.

    > I'll try to estavblish that as a new baseline. (Not sure yet whether
    > that'd better be a -01, or an ace-est-ace as it's not really depending
    > on BRSKI any more). An upside of that scenario is that it has a

Agreed: it's not BRSKI, just ... start with a secure channel.

    > In such a scenario I'd only come back to PRM if there's good reason to
    > actually do PRM (i.e. there are stairs, not just because it looks
    > suitable), or when that rollover is AS initialized.

PRM has some innovation that allows the CSR to be created at the same time as
the voucher, and then some cross-checking.

    > That handover gets me thinking: In authz-for-CoJP, the authenticator
    > plays the role of the JRC (I figure it'll play reverse proxy for the
    > actual one). Does that mean that the authenticator needs to stay around
    > (and keep its EDHOC created OSCORE session / roll it over as described
    > in CoJP), or can it ever hand the device off to a JRC directly?

If the OSCORE session can be moved, then I think yes, it could hand it off.
In particular on 802.15.4 (6tisch/CoJP) networks, then network rekeys have to
be handled carefully, and can take some time to get done.

    > That was supposed to be an either-or; I don't suppose I'd have a device
    > that takes both. (Should actually have been cert/AS data). But having
    > the registar serve both JRC data and AS details sounds realistic to me.

Ah, yes. Agreed.  The registrar has to cope with it all.

    >> pick a "morning" in gather.town.  I'm also remote.  Maybe Wednesday
    >> before ANIMA.

    > Wednesday before at gather.town sounds great, looking forward to it!

Table "A" for Anima.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email