[Anima] changes in draft-ietf-anima-constrained-voucher-10.txt

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 21 February 2021 20:33 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 78FB63A10D3 for <anima@ietfa.amsl.com>; Sun, 21 Feb 2021 12:33:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id q_4_6v5l24oj for <anima@ietfa.amsl.com>; Sun, 21 Feb 2021 12:33:50 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F2D93A10D2 for <anima@ietf.org>; Sun, 21 Feb 2021 12:33:49 -0800 (PST)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id 43DDD389EB for <anima@ietf.org>; Sun, 21 Feb 2021 15:37:49 -0500 (EST)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id BVupOIHvEKmq for <anima@ietf.org>; Sun, 21 Feb 2021 15:37:48 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca []) by tuna.sandelman.ca (Postfix) with ESMTP id 1BDCC389E9 for <anima@ietf.org>; Sun, 21 Feb 2021 15:37:48 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 62AC2666 for <anima@ietf.org>; Sun, 21 Feb 2021 15:33:47 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
In-Reply-To: <161393586348.14779.1562082460077183942@ietfa.amsl.com>
References: <161393586348.14779.1562082460077183942@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Sun, 21 Feb 2021 15:33:47 -0500
Message-ID: <29120.1613939627@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/DSjyJvXPbk01Ng3l8pND1MDRJX0>
Subject: [Anima] changes in draft-ietf-anima-constrained-voucher-10.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2021 20:33:53 -0000

1. We have added Esko Dijk as an author.  Esko has been instrumental in
   getting this document focused and moving forward.  Thank you!

2. We reduced the number of mandatory exchanges, trying to optimize for
   common cases of small PKIs with common usage patterns.
   This makes the /crts optional in many cases.
   We changed /crts from returning application/pkcs7-mime;smime-type=certs-only
   to returning application/pkix-cert (for which we need a CoAP type code).

3. we removed the CoAP version of requestauditlog, as that is part of the
   BRSKI-MASA, (northbound) communication, which is always HTTPS, and is
   always non-constrained.

4. while we obligate the Registrar to support discovery via GET /.well-known/core?rt=brski*
   we do not obligate the pledge to use that, and mandate that the /.well-known/brski/xx
   targets are already supported by the Registrar.

5. We clarify how the desired pining by the MASA is to be signaled, and how
   it is to work for pinning of RPK.

6. We have excised all text relating to CMS signed CBOR.
   That involved returning the early allocation of CT=1.2.840.113549.

If you have not read the document recently, now would be a good time.
We have 17 open issues at https://github.com/anima-wg/constrained-voucher/issues
and we expect to close them in the next ~6 weeks.

I see in reviewing the diff that there is a mistake in figure 1, with the use
of "Int"ermediate CA. We have concluded on using the term "Sub"ordinate CA.
Figure 2 gets that right.

internet-drafts@ietf.org wrote:
    >         Title : Constrained Voucher Artifacts for Bootstrapping
    > Protocols Authors : Michael Richardson Peter van der Stok Panos
    > Kampanakis Esko Dijk Filename :
    > draft-ietf-anima-constrained-voucher-10.txt Pages : 50 Date :

    > Abstract: This document defines a protocol to securely assign a Pledge
    > to an owner and to enroll it into the owner's network.  The protocol
    > uses an artifact that is signed by the Pledge's manufacturer.  This
    > artifact is known as a "voucher".


    > A diff from the previous version is available at:
    > https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-constrained-voucher-10

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide