[Anima] FW: I-D Action: draft-fries-anima-brski-async-enroll-03.txt
"Fries, Steffen" <steffen.fries@siemens.com> Fri, 06 March 2020 14:06 UTC
Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 357A73A073E
for <anima@ietfa.amsl.com>; Fri, 6 Mar 2020 06:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 16Yef164z6rW for <anima@ietfa.amsl.com>;
Fri, 6 Mar 2020 06:06:14 -0800 (PST)
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 48F823A0736
for <anima@ietf.org>; Fri, 6 Mar 2020 06:06:14 -0800 (PST)
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 026E6CTu018102
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
for <anima@ietf.org>; Fri, 6 Mar 2020 15:06:12 +0100
Received: from DEFTHW99ER3MSX.ww902.siemens.net
(defthw99er3msx.ww902.siemens.net [139.22.70.74])
by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id 026E6CCr006603
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
for <anima@ietf.org>; Fri, 6 Mar 2020 15:06:12 +0100
Received: from DENBGAT9EM4MSX.ww902.siemens.net ([169.254.11.5]) by
DEFTHW99ER3MSX.ww902.siemens.net ([139.22.70.74]) with mapi id
14.03.0468.000; Fri, 6 Mar 2020 15:06:11 +0100
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: I-D Action: draft-fries-anima-brski-async-enroll-03.txt
Thread-Index: AQHV878v3/vUpciCdUamcOdPqhTmuKg7lwsA
Date: Fri, 6 Mar 2020 14:06:11 +0000
Message-ID:
<E6C9F0E527F94F4692731382340B3378284B143E@DENBGAT9EM4MSX.ww902.siemens.net>
References: <158350302260.2236.17959866417996648593@ietfa.amsl.com>
In-Reply-To: <158350302260.2236.17959866417996648593@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.22.70.40]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At:
<https://mailarchive.ietf.org/arch/msg/anima/EP3mFqSZX2jKYWie4rk9Oug7PDg>
Subject: [Anima] FW: I-D Action: draft-fries-anima-brski-async-enroll-03.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>,
<mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>,
<mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 14:06:16 -0000
Hi all, I just posted an update of the draft for BRSKI-AE. Besides the already addressed approach using authenticated self-contained objects (signed objects) during the enrollment to address situations in which no direct connectivity to a PKI is available, a second approach is described. This approach targets situations in which the pledge is not able to talk to the domain registrar directly. This may be the case if a different protocol stack is used on the pledge or if there is no direct network connectivity. The draft introduces a pledge agent, which may be part of a commissioning tool. To perform the onboarding the concept of authenticated self-contained objects is leveraged. The draft has already been presented in the last IETF meetings. The authors think that based on its current state it would be ready for a call to WG adoption during the next meeting. We plan to ask for a presentation slot in the agenda for discussing the draft. Best regards Steffen -----Original Message----- From: I-D-Announce <i-d-announce-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org Sent: Freitag, 6. März 2020 14:57 To: i-d-announce@ietf.org Subject: I-D Action: draft-fries-anima-brski-async-enroll-03.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Support of asynchronous Enrollment in BRSKI Authors : Steffen Fries Hendrik Brockhaus Eliot Lear Filename : draft-fries-anima-brski-async-enroll-03.txt Pages : 33 Date : 2020-03-06 Abstract: This document discusses enhancements of bootstrapping of a remote secure key infrastructure (BRSKI) to also operate in domains featuring no or only timely limited connectivity to backend services offering enrollment functionality, specifically a Public Key Infrastructure (PKI). The enhancements proposed to enable this are also applied to further set of use cases in which a pledge may not have a direct connection to the registrar and is served by for instance by a commissioning tool as an agent providing registrar connectivity. In the context of deploying new devices the design of BRSKI allows for online (synchronous object exchange) and offline interactions (asynchronous object exchange) with a manufacturer's authorization service. For this it utilizes an authenticated self- contained voucher to transport the domain credentials as a signed object to establish an initial trust between a pledge and the target deployment domain. The currently supported enrollment protocol for request and distribution of deployment domain specific device certificates provides only limited support for asynchronous PKI interactions. This memo motivates the enhancement of supporting authenticated self-contained objects for certificate management by using an abstract notation. The enhancement allows on one hand off- site operation of PKI services outside the deployment domain of the pledge. This addresses specifically scenarios, in which the final authorization of a certification request of a pledge cannot be made in the deployment domain and is therefore delegated to a operator backend. On the other hand, this enhancement also facilitates the exchange of certificate management information via a pledge agent. The goal is to enable the usage of existing and potentially new PKI protocols supporting authenticated self-containment for certificate management exchanges. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-fries-anima-brski-async-enroll/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-fries-anima-brski-async-enroll-03 https://datatracker.ietf.org/doc/html/draft-fries-anima-brski-async-enroll-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-fries-anima-brski-async-enroll-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
- [Anima] FW: I-D Action: draft-fries-anima-brski-a… Fries, Steffen
- Re: [Anima] I-D Action: draft-fries-anima-brski-a… Brian E Carpenter
- Re: [Anima] I-D Action: draft-fries-anima-brski-a… Fries, Steffen