[Anima] FW: I-D Action: draft-fries-anima-brski-async-enroll-03.txt

"Fries, Steffen" <steffen.fries@siemens.com> Fri, 06 March 2020 14:06 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 357A73A073E for <anima@ietfa.amsl.com>; Fri, 6 Mar 2020 06:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 16Yef164z6rW for <anima@ietfa.amsl.com>; Fri, 6 Mar 2020 06:06:14 -0800 (PST)
Received: from david.siemens.de (david.siemens.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48F823A0736 for <anima@ietf.org>; Fri, 6 Mar 2020 06:06:14 -0800 (PST)
Received: from mail1.sbs.de (mail1.sbs.de []) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 026E6CTu018102 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <anima@ietf.org>; Fri, 6 Mar 2020 15:06:12 +0100
Received: from DEFTHW99ER3MSX.ww902.siemens.net (defthw99er3msx.ww902.siemens.net []) by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id 026E6CCr006603 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <anima@ietf.org>; Fri, 6 Mar 2020 15:06:12 +0100
Received: from DENBGAT9EM4MSX.ww902.siemens.net ([]) by DEFTHW99ER3MSX.ww902.siemens.net ([]) with mapi id 14.03.0468.000; Fri, 6 Mar 2020 15:06:11 +0100
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: I-D Action: draft-fries-anima-brski-async-enroll-03.txt
Thread-Index: AQHV878v3/vUpciCdUamcOdPqhTmuKg7lwsA
Date: Fri, 6 Mar 2020 14:06:11 +0000
Message-ID: <E6C9F0E527F94F4692731382340B3378284B143E@DENBGAT9EM4MSX.ww902.siemens.net>
References: <158350302260.2236.17959866417996648593@ietfa.amsl.com>
In-Reply-To: <158350302260.2236.17959866417996648593@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/EP3mFqSZX2jKYWie4rk9Oug7PDg>
Subject: [Anima] FW: I-D Action: draft-fries-anima-brski-async-enroll-03.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 14:06:16 -0000

Hi all,

I just posted an update of the draft for BRSKI-AE. 

Besides the already addressed approach using authenticated self-contained objects (signed objects) during the enrollment to address situations in which no direct connectivity to a PKI is available, a second approach is described. This approach targets situations in which the pledge is not able to talk to the domain registrar directly. This may be the case if a different protocol stack is used on the pledge or if there is no direct network connectivity. The draft introduces a pledge agent, which may be part of a commissioning tool. To perform the onboarding the concept of authenticated self-contained objects is leveraged. 

The draft has already been presented in the last IETF meetings. The authors think that based on its current state it would be ready for a call to WG adoption during the next meeting. We plan to ask for a presentation slot in the agenda for discussing the draft. 

Best regards

-----Original Message-----
From: I-D-Announce <i-d-announce-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Freitag, 6. März 2020 14:57
To: i-d-announce@ietf.org
Subject: I-D Action: draft-fries-anima-brski-async-enroll-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

        Title           : Support of asynchronous Enrollment in BRSKI
        Authors         : Steffen Fries
                          Hendrik Brockhaus
                          Eliot Lear
	Filename        : draft-fries-anima-brski-async-enroll-03.txt
	Pages           : 33
	Date            : 2020-03-06

   This document discusses enhancements of bootstrapping of a remote
   secure key infrastructure (BRSKI) to also operate in domains
   featuring no or only timely limited connectivity to backend services
   offering enrollment functionality, specifically a Public Key
   Infrastructure (PKI).  The enhancements proposed to enable this are
   also applied to further set of use cases in which a pledge may not
   have a direct connection to the registrar and is served by for
   instance by a commissioning tool as an agent providing registrar
   connectivity.  In the context of deploying new devices the design of
   BRSKI allows for online (synchronous object exchange) and offline
   interactions (asynchronous object exchange) with a manufacturer's
   authorization service.  For this it utilizes an authenticated self-
   contained voucher to transport the domain credentials as a signed
   object to establish an initial trust between a pledge and the target
   deployment domain.  The currently supported enrollment protocol for
   request and distribution of deployment domain specific device
   certificates provides only limited support for asynchronous PKI
   interactions.  This memo motivates the enhancement of supporting
   authenticated self-contained objects for certificate management by
   using an abstract notation.  The enhancement allows on one hand off-
   site operation of PKI services outside the deployment domain of the
   pledge.  This addresses specifically scenarios, in which the final
   authorization of a certification request of a pledge cannot be made
   in the deployment domain and is therefore delegated to a operator
   backend.  On the other hand, this enhancement also facilitates the
   exchange of certificate management information via a pledge agent.
   The goal is to enable the usage of existing and potentially new PKI
   protocols supporting authenticated self-containment for certificate
   management exchanges.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

I-D-Announce mailing list
Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt