Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt
Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 08 June 2023 09:06 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 991D4C14CE4A for <anima@ietfa.amsl.com>; Thu, 8 Jun 2023 02:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWBG7GWfXj5c for <anima@ietfa.amsl.com>; Thu, 8 Jun 2023 02:06:09 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20712.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::712]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 030B8C14CF1D for <anima@ietf.org>; Thu, 8 Jun 2023 02:06:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Mr+Esy0dAJZLOk9VWscD75koh0txzJ1+5fGZOstk/r+pn1Kg8/dkMDKtNxzs6rz3s2cUBpmOPYF+IFuUBaE7vCvRSttcxcA+l2dy/iQtmyM3Iv8SAMm2pYxEe+92TSIdLw/SloPPT8Bm4Qrk+cAwVC6afXw0xPcdlBDoOBFV1od5jNUegEVvhKtb34baPSGHFmyq1Ps7rqOJ/X7y7AxRLyDc9cwVqn7YEePael21ndIXCqLyD51RBK5SaZfqDCRbL8E4DiTMk+n+Z3RWi8zfoOXMkkFqjilgsCj0Y8111buCyndADxBfyHrHemlMs8Sn2iYo9usMy39a5tZ6fE0CsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OA4obwx7m4PqY7kdQCcLx3opWCNyROHBCAA4vJU+O4E=; b=c5PFvhoUiuJaaCIX+vUHFj8kidVlVJWZwpEQNfa/zOibYPxcrEQDHuqQRsLDoXb+r8fsv/+stQEMHCZ0hdTyKmYWgplj+oVERWxKOmcWsIP4gX8IA9YLUnbWoVLyxkOgcJzr+P1dIKR+brsKri0pnXNEJYiHb9+1gbre778YGN9DcErAmXpEWpByREAAQQAE4mhcPdUseSYjsraHn/qAE/keNcj0irAyUfGixopdYQjfUiVZMaJ8jCmfPsCmxo/TkbjPmEZl8nOubOal6k76bVIs5SjA6ra76RWhNfht9WtzPnx8ruF9/fb3dWUQrjsHUNjDYC7btyRE9m6IgOSxRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OA4obwx7m4PqY7kdQCcLx3opWCNyROHBCAA4vJU+O4E=; b=oBKIWq4cefIyv5Bc+Di95ZmLUeMlu3mvMUcIrOicNSiUSgZmHsPm7wRE7uNCWfqC3NWo4TZeriFpEZ0lub58W49YylcAewOh1IYnPVQfZsnyheiz5mBAj3Upx4u+ScDmG9bcpVviEe4OpdQKrwGQ23H86018rxKlILDe2djGB0Q=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AM7P190MB0710.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:114::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.33; Thu, 8 Jun 2023 09:06:01 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::f854:9c86:6cc8:f7ae]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::f854:9c86:6cc8:f7ae%6]) with mapi id 15.20.6455.030; Thu, 8 Jun 2023 09:06:01 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "Srihari Raghavan (srihari)" <srihari@cisco.com>, "anima@ietf.org" <anima@ietf.org>, "jabir Mohammed (jamohamm)" <jamohamm@cisco.com>, "Reda Haddad (rehaddad)" <rehaddad@cisco.com>, "Sandesh Rao (sandeshr)" <sandeshr@cisco.com>
Thread-Topic: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt
Thread-Index: AQHZktDn1f0sjF4tvUacYT89CYY8ja9y3Y4AgAAbeICAAGFjgP//rJqAgAxo6GA=
Date: Thu, 08 Jun 2023 09:06:01 +0000
Message-ID: <DU0P190MB197888430BC0180EF61A116CFD50A@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <168543538755.57544.11025538238647976477@ietfa.amsl.com> <78D5263E-C7B4-40A8-91E3-949B78DD801C@cisco.com> <3424246.1685462203@dyas> <A7BFB9F8-132C-4E10-92F2-C48AE8B9F17C@cisco.com> <3431043.1685465207@dyas>
In-Reply-To: <3431043.1685465207@dyas>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AM7P190MB0710:EE_
x-ms-office365-filtering-correlation-id: 80d8f756-0f99-4070-c1c2-08db67ff94e6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y5s2IFLuXrXWfYhUL+WXh/jD1xJ3cvkOh7IecWQmWZRJFJOgz82RQ4SbsA+uHfUW4DmJpxWBclQie65LoZqGM3ofRW2b+U9czcI6JWxPEVtflPhTsOwfZonsfq9bwv+HzbY2zSIziOa0UW2sp2Td3DlFyQ3AuQL1Wnl2g8Oc9jqOA08FdFMLiKj6CZBD5flw+Y+WTIPwF7vH/6vZwa/R/QEdonYUL/MpOVC0ZwMX/pMjYwQlG1XaOILtk5TIcCP5VlgoYcX2ZuwxYD+C1iBFInutofyQd450J5NCgx/kYzYae1Eah7WH/OWnMS279l51sk/QYyZzaNre2xFB3nxqW4XY8tCC6NRdFukOKhOPsNG/IHhkpv/vqJPg0f0lRWLvM+FmguJ8OWuVNfu2csmn2zNy26eIeQlISUzlM48vuFucUZ4DDH4cVTgiAWZ2NUnAStztdr+M7Jk+s8H7E4D/JSGVap4dueoj/BFDL9/VzOOxiUlZJz4cHHtznbOdOPj3wLLl13XpMKFCYs6lquPvdArdOPFs/bP4G29QdMKvx45QXLV/TNDFHrKg60AUuTG1hmPr3pYTpQfuUEow1ewzFOrcxmqKwlorVblo113NKRmjtAA8QiDo2zxBlUpvafqb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(396003)(136003)(39830400003)(366004)(346002)(376002)(451199021)(53546011)(33656002)(55016003)(26005)(52536014)(41300700001)(186003)(5660300002)(9686003)(6506007)(8936002)(8676002)(83380400001)(110136005)(478600001)(66556008)(66946007)(316002)(64756008)(66446008)(71200400001)(66476007)(76116006)(7696005)(122000001)(38100700002)(38070700005)(2906002)(86362001)(44832011)(15650500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: NhzPmqTTcMGZUQ6PAd5rzOLsgjmn2hrtdVi7rhDh6fq5zNCw9ZjCDyQ6dbVE2YEWbjqdwoBMNX8rLZejnKX6eQcBHbPO43eNHQVqEOaAtZBTgtZSUGf3hdUqt7ug+pzs4K5PJ7R7ZVitbkZwWuUedvvhzC73T0CTg5cwZk5wDweqbQYcKLFc9bcXoSxTnnzJ9XITR14QsC1V4uzo/k3/0UiPYRsHC5cZgMgDcocGfE9Hix+gvEUjc6oT5ySRNID1cvj0/ZUwF1Drg4bCMXBsl+h2qa34AMDFqA83dRu16xr51IRT3KdnoO14OGvdhWpwS7MS/VvKDFrz3eIaxevfqnMMuPQSEDF3uDPCe3F0vwHjqTbdXcYLBmI+39ljrdlOHnSqZH2Z8sssES7GHj8N+5DDmTtPsnxrPUybjFZAavLpjBO1BukC314RUfkQyXHfQEGjpBo6s80RyGrZrSAOX1ZSks9zU41Z5lQ/1sITLsUS0nNKp+vczFhMdcBxRC7FvIR/tdE1zJr355zsO3NjEF+yUilBOeMlLC4Swom+/qwLraD5bMPXoDcibm09rTq3Uv/PM+6wLBwO6oNofYMH53gBBvbi+MYYs95XdRoYRiTKrN+MW7JbSSadPwOrS1bdGVvfOx/T32odbofSiIuy7liQGIqxk0FVzzbuaqwtB3+q7wj/mctIKJIHgxRQjxndZcXTFXN+jndYhhP2CmMbJZNaFrmT8ktUlG7VGvim0HGLKKebQUj9IpM7HjO8Fj1s5fn2cmmiPsfXsf757qZv9bcf28njhkQG9MyggegeINJDmYHM1VwRp9ebebJGkox53uB5cKxBHC1Y+HcvWYw0WpaRswAvuFhjXNvXcd2KW+b0ZurzXgsAh8XS2YwTIl4wwl3XLnvC/9yqVRyZqDcKgwavdWuUT3UEpBWVx8uaM8pgb/xRcYufcn0fdW0phvnDUcOID2WlyOTy0bfa3Y/WUF1zH8AKIj+A9eSr76ufTTHraX/5KZkbssykPkwWpZXD33ryp4LC3TY+G72iCx9Uke7iwHigYtbXX3oAvJKEes24q5oxZVJUuUK2iFhtbcbFjO4BHZvi2kRUEsmPp/KS3jw93eDi5oZxQo/8DHzLn/xQR6lbT5vmSI1nN02X8JD9gquBpEAUxNXs++IkA56Yhpj/IK6SAVL00HXj/5u6BLRiHZjfyd1BrYrzMNPudKvUNJ4V8rNmDrq7A4H8ES/nQ3LhJmm+Cch+CEEjcd41Dv0bUxyjrk4+mGXdFMYZcrRhoNMLKavROrJfgS9FjD/ajMfwLdxRuGUbdj8bdyw0F4C7WEPPkRvQO6GqJocA76m7p4F5WNUBSqllrD/dw9Jaq+daQ7IxY/LGcvuSG+rshVUdPEyM+gvpTH5aIcKXAZ0wEJA/b+Lr/r4AawuzqXSWOTOAorCFJvMb30Ub/BpWo8ePAe3Uon+J3fN/Yq3Dk4xJamHu/fY/1mjJKlXcnWx6mx5TPBbN8uiDuETaDVv2hKhr8lUc800PJxtCbrI9HgG/Lv75JuszUqGY2yf4UVSPoWb7vdeyRolLUIS3OKt1P7PWboZcF6n+S+2UwhsGi0eM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 80d8f756-0f99-4070-c1c2-08db67ff94e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2023 09:06:01.5401 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IB/BLQQcUnroiYjrKDEfHgtVkhPXE9K9smnzcQLQggxnOCYuWhIvJDSDnP3ndSUtWCSH+/n3CTb8MufhjMZ1DRkTZRzqgYUb1gDILJ+VvYo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7P190MB0710
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/DuoAY7-jqmDKJlIFxbDRO2LDZbs>
Subject: Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 09:06:13 -0000
> I think that there are better ways to do accomplish the configuration, such > as extending the BRSKI-EST link with new actions. Indeed letting the owner independently set security policies for the owner's own domain sounds useful. Such policies could be sent by the Registrar over the same TLS / DTLS connection that is created for the BRSKI-EST, or for the standalone EST, protocol. E.g. device gets a policy update every time it gets a renewed LDevID. The policy data can be a voucher-like document, or a JWT, or a CWT, signed by the Domain CA. To get the policy data, the BRSKI/EST client could request it using a RESTful request. This has the benefit that we can define it as a building block independent from EST itself, while the underlying security and effort and standards-text of setting up the TLS connection is shared with EST. I'm assuming the protection provided by the TLS connection is useful and wanted in this case. That said, security policies determined by the vendor (through MASA) could also be useful for some use cases. The vendor could enforce policies on the use of the Pledge for the particular target Domain/customer. E.g. enable some features, disable others. Currently that would be encoded in the Voucher in a vendor-specific way. Question is if there's a need to standardize this format? Or maybe have an informative document showing how to do it is sufficient. If we let the domain owner's security policy settings piggy-back on the Voucher document, so that all security policies are distributed via one signed document, that may be nice and simple but it's less flexible that having policies that the domain owner can determine fully independent from the MASA. Esko -----Original Message----- From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson Sent: Tuesday, May 30, 2023 18:47 To: Srihari Raghavan (srihari) <srihari@cisco.com>; anima@ietf.org; jabir Mohammed (jamohamm) <jamohamm@cisco.com>; Reda Haddad (rehaddad) <rehaddad@cisco.com>; Sandesh Rao (sandeshr) <sandeshr@cisco.com> Subject: Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt Srihari Raghavan (srihari) <srihari@cisco.com> wrote: > Agreed that MASA is the signing authority and the draft is meant to > convey that the owner can influence the choice by way of parameterized > inputs to the MASA APIs. So, owner can be presented with a 'security > profile selector' input via the MASA external APIs and when the owner > provides the PDC and the selector input values, MASA can then go ahead > and create the voucher with appropriate security profile settings > (after verification and validation) for the device. okay, that's a entire API from Registrar to MASA which you have to design and document. And you mention SZTP, and it doesn't have that link. I think that there are better ways to do accomplish the configuration, such as extending the BRSKI-EST link with new actions. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
- [Anima] FW: New Version Notification for draft-mo… Srihari Raghavan (srihari)
- Re: [Anima] FW: New Version Notification for draf… Michael Richardson
- Re: [Anima] FW: New Version Notification for draf… Srihari Raghavan (srihari)
- Re: [Anima] FW: New Version Notification for draf… Michael Richardson
- Re: [Anima] FW: New Version Notification for draf… Esko Dijk
- Re: [Anima] FW: New Version Notification for draf… Srihari Raghavan (srihari)
- Re: [Anima] FW: New Version Notification for draf… Srihari Raghavan (srihari)
- Re: [Anima] FW: New Version Notification for draf… Michael Richardson