Re: [Anima] [Iot-onboarding] EST CACerts and Pinned Domain Certificate

[Esko Dijk <esko.dijk@iotconsultancy.nl>]

Hello Michael,

Looking at text in 5.6.2 of BRSKI:

   The 'pinned-domain-cert' is not a
   complete distribution of the [RFC7030] section 4.1.3 CA Certificate
   Response, which is an additional justification for the recommendation
   to proceed with EST key management operations.  Once a full CA
   Certificate Response is obtained it is more authoritative for the
   domain than the limited 'pinned-domain-cert' response.

Which basically says that the Domain CA cert (that is present as 'pinned-domain-cert') is a sort of partial response to the CA Certificates Response of EST.
So, the Domain CA cert must be included in the full CA Certificate Response.
Suppose the full response does not contain Domain CA cert. If the Pledge receives the full response and - as stated in above text - replaces the limited response (with Domain CA) with the more authoritative full response (without Domain CA cert) then it would have to discard its Domain CA cert! That's not wanted in this case. So from this I would conclude that Domain CA cert needs to be in the (full) CA Certificates Response of EST.

Another angle to consider is the following: by design, the pinned-domain-cert is in BRSKI a Domain CA cert (i.e. it must be a CA). Why would any CA certificate not be included in the list of CA certificates, that is given by the CA Certificates Response? 

Third, in Section 5.9.1.:
   
   The pledge SHOULD request the full EST Distribution of CA Certificates message.  See RFC7030, section 4.1.
   This ensures that the pledge has the complete set of current CA
   certificates beyond the pinned-domain-cert

This suggests that pinned-domain-cert is part of the complete set of current CA certificates. 

RFC 7030 is not fully clear to me regarding our question - there are requirements on what should be included in the message; let's assume that the EST server certificate is a subordinate CA; then the RFC states in 4.1.3:

   if the EST CA is
   a subordinate CA, then all the appropriate subordinate CA
   certificates necessary to build a chain to the root EST CA are
   included in the response.

It is unclear if the EST CA's own certificate must be included or not in order to build the chain. In other words if the chain is X (subordinate CA) -> Y (subordinate CA) -> Z (root CA) then does it include only Y / Z or all of X / Y / Z ?

Still, overall it would be strange to exclude Domain CA, as it is part of the full set of CA certificates, and because the "full response" would replace the single pinned Domain CA cert as indicated in BRSKI. 

Best regards
Esko


-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Monday, March 23, 2020 20:25
To: M. Ranganathan <mranga@gmail.com>; iot-onboarding@ietf.org
Cc: anima@ietf.org
Subject: Re: [Anima] [Iot-onboarding] EST CACerts and Pinned Domain Certificate


M. Ranganathan <mranga@gmail.com> wrote:
    > Consider an integrated BRSKI-EST server. The pledge bootstraps and gets the
    > pinned domain certificate. Then the pledge queries EST for the ca-certs. Is
    > it correct to require that the pinned domain cert must be present in the
    > CACerts collection returned by the EST server when the pledge does a
    > cacerts query  (but can include additional certificates) ?

No, I don't think that the specific cert needs to be in the cacert set.

1) It makes sense that a trust anchor(s) returned ought to validate the pinned
   domain cert.  This is because a certificate renewal operation needs to connect to the
   EST server correctly.
   Obviously, in a very degenerate case, there is only the one owner
   certificate, and it is used for everything.
   section 3.3 of draft-richardson-anima-registrar-considerations suggests
   that, and I include the text at the bottom.

2) The pinned-domain cert is validated by the pledge using the voucher.
   It does not need to be validatable via the cacerts for BRSKI-EST to work,
   provided that the TLS connection is never broken.
   (If the TLS connection is broken, then the enrollment should restart.
   We considered many ways around this, but I think in the end, we decided
   not to do this.  HTTP/1.1+ persistent connections or die)

===

3.3.  Home Network

   Home networks and small offices that use residential class equipment
   are the most challenging situation.  The three-tier PKI architecture
   is not justified because the ability to keep the root CA offline has
   no operational value.

   The home network registrar should be initialized with a single key
   pair used as the certificate authority.

   Secret splitting is useful in order to save the generated key with a
   few neighbours.  It is recommended that the entire PKI system
   database (including CA private key) be encrypted with a symmetric key
   and the results made available regularly for download to a variety of
   devices.  The symmetric key is split among the neighbours.

   The most difficult part of the Home Network PKI and Registrar is
   where to locate it.  Generally it should be located on a device that
   is fully owned by the home user.  This is sometimes the Home Router,
   but in a lot of situations the Home Router is the ISP's CPE router.
   If the home has a Network Attached Storage (NAS) system, then running
   it there is probably better.

   A compromise for CPE devices owned by the ISP that can run containers
   is for the Registrar to be located on detachable storage that is
   inserted into the CPE.  The detachable storage is owned by the home
   owner, and can be removed from the CPE device if it is replaced.
   More experience will be necessary in order to determine if this is a
   workable solution.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-