IETF Logo Mail Archive

Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09

Toerless Eckert <tte@cs.fau.de> Wed, 21 February 2018 02:58 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3635124D68; Tue, 20 Feb 2018 18:58:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.96
X-Spam-Level:
X-Spam-Status: No, score=-3.96 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjBOLq-MkBgE; Tue, 20 Feb 2018 18:58:20 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E20F1204DA; Tue, 20 Feb 2018 18:58:20 -0800 (PST)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [131.188.34.77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 4550058C565; Wed, 21 Feb 2018 03:58:16 +0100 (CET)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 23B6AB0DB08; Wed, 21 Feb 2018 03:58:16 +0100 (CET)
Date: Wed, 21 Feb 2018 03:58:16 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
Cc: "draft-ietf-anima-bootstrapping-keyinfra@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Message-ID: <20180221025815.GE23498@faui40p.informatik.uni-erlangen.de>
References: <20180214010910.GA27823@faui40p.informatik.uni-erlangen.de> <23103.1519174480@obiwan.sandelman.ca> <20180221023844.GD23498@faui40p.informatik.uni-erlangen.de> <AB3D61FC-9698-44A3-8E82-A203B5414086@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AB3D61FC-9698-44A3-8E82-A203B5414086@cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/OpGVJkhqVQ_iM8GpNuE-lqGM-t8>
Subject: Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 02:58:23 -0000

On Wed, Feb 21, 2018 at 02:45:12AM +0000, Max Pritikin (pritikin) wrote:
> 
> The MASA is a certifier of vouchers. A voucher isn???t really a PKI construct today. Its more of a distribution of trust-anchor or ???pinned cert??? construct used to bootstrap a PKI because the PKI???s don???t have such a concept. 

Thank. I always hate good explanations go to waste. Sentence like the following would be lovely for readers whose first attempt at survival in a sea of security is to figure out what the terminology means:


(at end of PKI def in termonology).
Note: The definition of PKI preceeds the MASA and Voucher concepts and any evolution of the definition of the term PKI is outside the scope of this document. Therefore they are not  considered to be part of a PKI.

Cheers
   Toerless

> I think it could be argued either way but its probably most accurate at this time to talk about the MASA as being distinct from the PKI if only because this isn???t the PKIX working group and therefore it isn???t in our charter to add anything to the public key infrastructure. 
> 
> Which highlights the absurdity of trying to draw this distinction. :) I???m good with Michael???s excellent text. 
> 
> - max
> 
> > 
> >> +
> >>    Join Proxy:  A domain entity that helps the Pledge join the domain.
> >>       A Proxy facilitates communication for devices that find themselves
> >>       in an environment where they are not provided connectivity until
> >> 
> >> +1.5.  Requirements for Autonomic Network Infrastructure (ANI) devices
> >> 
> >> +   The BRSKI protocol can be used in a number of environments.  Some of
> >> +   the flexibility in this document is the result of users out of the
> >> +   ANI scope.  This section defines the base requirements for ANI
> >> +   devices.
> >> 
> >> +   For devices that intend to become part of an Autonomic Network
> >> +   Infrastructure (ANI) ([I-D.ietf-anima-reference-model]) that includes
> >> +   an Autonomic Control Plane
> >> +   ([I-D.ietf-anima-autonomic-control-plane]), the following actions are
> >> +   required and MUST be performed by the Pledge:
> >> 
> >> +   o  BRSKI: Request Voucher
> >> 
> >> +   o  EST: CA Certificates Request
> >> 
> >> +   o  EST: CSR Attributes
> >> 
> >> +   o  EST: Client Certificate Request
> >> 
> >> +   o  BRSKI: Enrollment status Telemetry
> >> 
> >> +   The ANI Registrar (JRC) MUST support all the BRSKI and above listed
> >> +   EST operations.
> > 
> > 
> > Can't remember conclusion on redundant terminology re. JRC vs. the other terms
> > used. Personal preference would be to eliminate JRC as a term, but i'll wait
> > for the final doc. re. minimum necessary terminology.
> > 
> >> +   All ANI devices SHOULD support the BRSKI proxy function, using
> >> +   circuit proxies.  Other proxy methods are optional
> > 
> > Overall 1.5 nice.1
> > 
> >> +   , and may be
> >> +   enabled only if the JRC indicates support for them in it's
> >> +   announcement.  (See Section 4.4)
> > 
> > IMHO: sentence eend after "optional". Followed by "all proxy functionally
> > needs to ... be enabled...
> > 
> > Aka: circuit proxy is a no-op too if the proxy does not discover a registrar
> > supporting it. Not specific to advanced options.
> > 
> > 
> >>> II) This leaves the option that EST to install trust anchor is mandatory, but
> >>> enrolment with a certificate is optional (except for ANI case).
> >> 
> >>> Aka: would be good to write a sentence/paragraph exactly outlining what is
> >>> permitted to happen after a voucher and if any, what parts of EST are deemed to
> >>> be necessary by BRSKI (outside of ANI devices. the requirements for ANI devices
> >>> are listed above).
> >> 
> >> I think that this should be left to other users.
> > 
> > Rephrase ? Don't understand what this means (especially users). "other authors" ? "other docs" ?
> > 
> > Maybe just: 
> > 
> > BRSKI does not mandate EST client certificate enrolment except for ANI devices.
> > Considerations for complete solutions using Pledges that only perform Request Voucher
> > and CA Certificates request, but no EST client certificate enrolment are
> > outside the scope of this document / subject to future work.
> > 
> > 
> >> I am going to push the -11 with these changes, and the ones from last week.
> > 
> > Thanks!
> > 
> > Cheers
> >    Toerless
> > 
> >> I acknowledge that I still have a bunch of edits from the rest of your message.
> >> 
> >> 
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> >> -= IPv6 IoT consulting =-
> >> 
> >> 
> >> 
> > 
> > 
> > 
> >> _______________________________________________
> >> Anima mailing list
> >> Anima@ietf.org
> >> https://www.ietf.org/mailman/listinfo/anima
> > 
> > 
> > -- 
> > ---
> > tte@cs.fau.de
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email