IETF Logo Mail Archive

[Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 14 January 2025 17:20 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E01AC14F700 for <anima@ietfa.amsl.com>; Tue, 14 Jan 2025 09:20:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49dNYBZo9x7W for <anima@ietfa.amsl.com>; Tue, 14 Jan 2025 09:20:29 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2102.outbound.protection.outlook.com [40.107.104.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D67C5C18DB9B for <anima@ietf.org>; Tue, 14 Jan 2025 09:20:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MW9fhqkOtzL+a0PP/h2Xo5Pkj0gg820Fu1HTiFH+WYrNomwCJfihRNQXxUVHTN2HS5eHioutik8Ipxdb4HJ+zfs7w8ZMq2JBHj3YV83iRKPMXqyKHF65+0ycdtUFnb+KMRDjh5KtThXHD92eA/MACaN/FrYQBT7UIMN9OFnB05NFVsiHx4CLgG0ye0LtvCBMrVdzfGndLR0Dd05Uo7Q8WvYWaJgS3G9mnstea4Tc6W+geRP4tXh7z3t2OUV8ld77M3oSMdWQeqV9lNkAA62t+WFQXE9JAtaM/OADF8QKBfDz1U35UlTl6/EgkCxhHUZRL4O1/gmby5FhaboN6YRusA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1BeBpwles4la7ubDZEdzyu8cf6C0g/mbS6RPz4pqats=; b=PaA94YZElcl2qgkXWY5Dl3gW7mSvIaXh1aZozDyBefn8buYy8Yt04esTIEyqgQ7V0Xffo6Opqnx9IuE11CHsP0KamVy8qhTH/8++VjcyvBkWvpq0EfvNxsRot50vsyzAJck+2gooVTBeySJ4aQyA/jTHSOtoiRDKvXxcWxbXRXSuPY/aJAbEJM8Bh+oID4Kw7arunSq+6V60O6+/3FlT1ev/HMvXggPxQ5Kg+jsORZC7IbmYBhxXu9i4L8hJrtGtIoM6PWL3Th3rkWc3vHR5esCZiwQHteveiZEObYom5NpM8qEuNbkalRyF02oG+cyAeiGwWjeBPO20F+ljeQl/Mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1BeBpwles4la7ubDZEdzyu8cf6C0g/mbS6RPz4pqats=; b=cdAdBex2S5mk0d9UgCy38wG8f0Rhv6AyalaJdQxef2UprY8QwRXWEflHlV9EWVmjECa+TcDtxFu8vrl/eFJa6C82tSKIE1UoLwmcMx2h350HIkTxpSycdUbEuJ+xxLRSRtQkW9gzEH1A5FhmIxEs1YhYHIXNUW15dWOrlgfy3R0=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AM8P190MB0961.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1de::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Tue, 14 Jan 2025 17:20:25 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6%4]) with mapi id 15.20.8335.017; Tue, 14 Jan 2025 17:20:25 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
Thread-Index: Adtmp8DGaGc33rQTQaSJ4oCTIvlRkg==
Date: Tue, 14 Jan 2025 17:20:25 +0000
Message-ID: <DU0P190MB197881C7B003306108D9AE43FD182@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AM8P190MB0961:EE_
x-ms-office365-filtering-correlation-id: 68336053-98ba-4ceb-b4d5-08dd34bfbbe7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|10070799003|366016|7055299006|8096899003|38070700018;
x-microsoft-antispam-message-info: /E6HV7pPIml0tpvB+YKj5Wkez12w4dQ5gNj1UH9h0BlIF8V8Q0XUwwWXxA9LRVYJ0/tK5pQuf7vd4NuzKuRar2/ZpKYt4kZ9gRVmLDUWonesDfjt8beCAFZH7cVWsvTLFJi/h7dTrvfdd23i40OdvfwtttE+7V2WIkum6Iulmxi7x2vfTUZ6zbk4wKPmHf+bXNmcZjY8jsNRAnrcfDXP8oAeL59WZaQpBbGvvSqJq2mPu/4QP+Me4fsCjx3lgJP9GRAkuMWOWLDC+orkegCniYaAW+LWCnREKEwdtRc6kP3YjRIEh4nburjvmrAzkRfM4NrS+BNzG8JFWpdrcjdfYPOqTvgDT0X1mZ3ZFKLqfUU+Mp5w+AqkVhoO4d1bss5U81aKSiKLXXdY2kHyp4VPdFBi14Gt97Dl7al2mCR4MsoGNQqBigVbCf0YS/nDt8mjV9LL2Ewr0RibKEFYXt4DLAlzh7jNlj/O1giv7vMSVRQyLBxfgttOm2tq2kxl6Eku0b5SHuTPyEBPKHeucz+eTE/DkLH/ZyZ2P5qjPSLVaC4/giKBNTemrEgMcQ3FkrIX/Oxd73Fr3dJOqSDHrcLAWeWpIcZLh6F7hIMTUhPFtu9j14WZsfl/NLTAyiOUrSLnbhOtbRTu8ENkWOm06SMGvkcescRDt/EivBF/qkINrgOjgZYvC50I4d7Iucf/thb4Zg4CQAxfuaChp/Pqha/DLz8YeVwZKmT1hwgS8hcNzpeDsZDlKOf4JepFU/vfxfhebbTNSuAbjOuo2AvfVi6TQyt8TTmwhsQIhdv6H4xIFfugkmBx5N38ZGLME+P3BHd6BuxKSwdOW1AkQbjyHUDBNlejlheFoy757J/Tw0gn1BpknnQoURrUlu73lwu0cfTkxiFHk8zqVedhIJiZB6NFRwCXgO8Iv3OhGNMeZ17v8CHuQD/xtkIU3Z3QEb4H8lWKwvxHBOkZ33E4EMOsHXy0xeXGWyS/fXNndIiJYOogZyG8Ti89r9r8/0Sb54Q3EHRd2NEnQvb4KIHPY1eskuZC6idmD7nDiP6ldvXE5rHjukudD3mKHgqMaYTADkyd3m5R3ZYPts7NoJ8BllXoDyMatykwcdYL16TCtlS5rcLEcgmDQQv3OCeYLVTgUqNNC0ONYW/IHb9WnVgkt7Jh+KusuYPruAUsQ4eme95v1JQeB47TAOIaSq4WoU19yGKECSNZonQ206FnvW9D5eHdsbp3/5cmJRazlxzWEprIRvg0eJIlNhObeoXyDrIJkURU8EsJUAl09Gw3mia+BK3JrikH05653bVxqpLBC2baE6MCoIJr7qNP3qDaV1KgXv3E7rG1wiZFD1SQCMVz8rlkHoOJgZpT6flOBBxv00Iku9Ese+fG2rMTRRvzvEORmCtF1VYko3/+RqqR3ULD1CO0e9jCIKnqpGuS+Y1sHMnNtwSCuvS5dVHipteGGcNAaR/Hb4PtOPbjby/MImni7Rz0NtoxvA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(10070799003)(366016)(7055299006)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ue31EWUx9vTr7EoK50TxfglCZiZgoWjVR3MU39puevrqtIpWpDLvRxO9d99QpBhLaTfKe/u5ZRmdUvjz4hCviOI4AaWSejRlzmTjWODOIjoiNlFJoKOqQNq2kEcYKe7Mp3KscexonY+DTXj3My/1BNpX4AJXSfmPHmHkqwGCRHtqWc0yOFvAINEz43bhnmUTY6k4lcvDt6ohcumVpGnARTcblUvvpGGY5EcmHnPzUCTXF3vPuBQ9zVj31oM1b9II4Jo23dHsuFpF/lt8iZORHqzk6Dy3F9lzOnnXis7ugEN4fD6XjXIUnk/KeFgL7mAnKUwHUlQ7dYr9PpYUjRXXgo964XsW+IibtUcAgd04tZZ7cskLPw/QG/aiyzBPyNlP//+1fbJ1V6qe97YDYHSfnQZzEFTltvoUBUXvqyXL1Uk4n1Nu5bdxFAfqWPVztLTnGtf2BHBaYJIY3Y1HFXdigHLw/Su2IZtio5tuYZo5a5BQoBWQxNfd6MPQVeDZws4WR7wRSV1tL8gyR4NfmTxDfQnGKpG5E+RtISqrbSQHLkNjuQ4kjQ4hpRb4T0JNDJwAkHHpYytHoCOxE9FOYT5614FyEK8lNRP8hE0tKDLYbZ3EaqiV8kuIarqNBa7bEs/S+sI6bHWpVWrqTQB1gfxPbt+LQetUzEyprmtKMYkdlhgYyIQU3Z6YMgmwAaj4t5snizko7VxowMCtC1UOZRW8Ba43osmVDiEL/LxIaDraMRuCCIRfUqifqvCae0agqelRaU8dfSmURZ+HdvP2hEXMxLs8WiwZIyD4SV0rHEHRHYZJLcZzBFNmbTGlmiw0H9ONIhX+cO/FIOdRP0nhBgaEmA29qzrq5CmQnQ29I3zWc4zCpBKtj9WvPqoMlMZPclb2p3MlPzGTNPqEcwbxOVYuDIDLzjjYPUJtS276dg5XRgnC2pFztPRZECM7chpKbNG4RvVS6PvJCgOQJzwKg7s7nD96oBzyykbeY/Oh7i8KCu7cSr0w1nhFRxAYGrbMrdtbViQyVWFpLPlQqcIab/DQPto//QlFJ2ZlPEepA4xX1GrGJ/m0h8bermyWTeqskRTZcbHyLHShsc8QGCZ1sKmxOtQDMSW0dd9Cr5K6MqzVCxBgSoWKSSn8y0Au3vb49FlqrZs1HLM2GA5+2gX+zEgs3RRdIY8StIeQeR0+fLwLbgZO2biD29NQWsZsw0jLGMMpK12Fs0jfTIHkIcqja4HX75btLOCae8KvySP5JAkI2J6nCwv1HqGu7hw2nlEGxQ+alS9LwJasoJOTLUtgaDoDeVlD6l4DSuu7yo9fmFGLNhMt4+4l4RG3iJoZ5V8l6lNQEFXMzIhz8iLKbOFs2JltxC3JYuO1ZqpN45dN+g2ZVbymhNum7WZZHW0GAxMubgtrPSYMI/IlfzCdthpG/osT5WX7lXtE2D1VYdJOYqHpLs1A88gIUlOxnSeMsNr5gBcqtJk6QRrCVppYmeJNLVXWTMfMbzZO8034hOgjNHY8/KcwXK4yubH/cK7NbHQsfBSBFxzclKvJ+3beF4/KJSTJ5NAjUAZuwtfYFg4LDQcxTm/bbToiilv4TAYTVlJFsYEg86z3zHWXnDcIKD2CU6MjS0VuKgHPxUBsB2ZjRQAke5ZgWjavC85+NVPuk7MbiTfXcY7CZmlSK72z8VSCfDLMpA==
Content-Type: multipart/alternative; boundary="_000_DU0P190MB197881C7B003306108D9AE43FD182DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 68336053-98ba-4ceb-b4d5-08dd34bfbbe7
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2025 17:20:25.1807 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mQHbj+855O8/p7Dxx6mWP583z1AbEilslVG5QBEl6YmsVj6q2t8D8la3OhAd1hTM1oQn0KY+inPx++gf2ga7nHpVHu99kQoCp80uP39/mko=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P190MB0961
Message-ID-Hash: XUVQFSWONKGKDILJFI64H32A2UEFNV4Z
X-Message-ID-Hash: XUVQFSWONKGKDILJFI64H32A2UEFNV4Z
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Werner, Thomas" <thomas-werner@siemens.com>, "Fries, Steffen" <steffen.fries@siemens.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/F7dilcUU9v2tUVYGCfnBiWnYe_o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

Hi Steffen, Thomas, (WG),

Based on our discussion in the ANIMA design team I looked up the requirements for signing the PVR, and including the certificate chain in the PVR, for BRSKI/cBRSKI.
Just to compare. For BRSKI-PRM there may be other requirements because of the Registrar-Agent that sits in between.


RFC 8366 5.4 – for Vouchers only:

   The CMS structure SHOULD also contain all of the certificates leading
   up to and including the signer's trust anchor certificate known to
   the recipient.  The inclusion of the trust anchor is unusual in many
   applications, but third parties cannot accurately audit the
   transaction without it.

RFC 8995 5.2 – for the PVR, it basically copies the above requirement and requires signing by the Pledge’s IDevID credentials:

application/voucher-cms+json:
    [RFC8366] defines a "YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure", and the voucher-request described in Section 3 is created in the same way. The media type is the same as defined in [RFC8366]. This is also used for the pledge voucher-request. The pledge MUST sign the request using the credentials in Section 2.3.

Now the target recipient of the PVR is the MASA. (Again for PRM this may be different and include Registrar as well...? But not in BRSKI I think.)
So the requirement on the Pledge is it SHOULD include in the PVR all the certificates needed for the MASA to build the complete chain. And by design (same vendor) the Pledge should know what the deployed MASA will now about the vendor’s Pledges i.e. what trust anchors are stored in MASA. This would I think need to be at least the Pledge’s own IDevID EE certificate. If “trust anchor” is interpreted as a “CA”, it needs to be at least this IDevID EE certificate and the next-in-line CA certificate, which may be a sub-CA and not a root CA.
It’s not a MUST requirement.

Next: In cBRSKI, the PVR size is reduced by completely removing any signing certificates: only the signature itself is included!  This works because we have vendor’s serial-number to uniquely identify a Pledge to MASA. And if serial numbers would collide in some case, we explain how to use the “key ID” (kid) field to  identify the signer in those cases. And an optional way to include the complete cert chain, if really needed for something, by including it in the x5bag container element.

The MASA is this solution needs to store all the cert-chains for all the Pledges it supports – including their IDevID EE certificates -- an extra burden on MASA, compared with BRSKI, but one which helps us achieve the smaller size of PVR.
So cBRSKI changes the “SHOULD” requirement from 8995 to a SHOULD NOT in Section 9.2.2.

Also in cBRSKI, the Registrar obtains the IDevID of the Pledge from the DTLS handshake. Not from the PVR.
This seems allowed per BRSKI Section 9.3,

    A registrar accepts or declines a request to join the domain, based on the authenticated identity presented

It doesn’t say where the IDevID identity should come from – PVR or the (D)TLS handshake supplied certificates. Having only one source should be fine ... ?

Regards
Esko

v2.29.0 | Report a Bug | By Email | System Status