Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)

Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 02 April 2020 06:47 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1D83A0985 for <anima@ietfa.amsl.com>; Wed, 1 Apr 2020 23:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBQPMXZMwEyK for <anima@ietfa.amsl.com>; Wed, 1 Apr 2020 23:47:03 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2137.outbound.protection.outlook.com [40.107.20.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB51F3A0984 for <anima@ietf.org>; Wed, 1 Apr 2020 23:47:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dbh82vinYhzLpHStDUETPlFi6Qcw1plcuAecqN9QOLkiuyxHnw8iUWpqv4MokPzKePQ8MXC2Bmw7LTTj+XdL9slPKddJR8POYymZw1x1xLOihtAEbbzNsW7twLqGIUQHxI7LD4KQeb/iTax3vOVxuQA7HhKQ5PAMNaAtLTIza/sgncf2SDOnIoAsWBEoau0kiyMPMYjo4hkWgMKde8Mph//FthUiQtvONLRTEHJKYS273sH5hCmw6Hdhj/kPrfWFj/0MIVujT7GKS0pmXqDCHjWq5WWb55G4rdTOy9xkbag1A0+yDRNLbNs0v0LfKu0ioPv/0FOG3FafxxD5cZdZdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0RaNR7WgMP4WIddm6yoDMVi6HaxebGnEREfWp26/BHo=; b=dHM/voRwT59HBS/T4R4IxY6SRelRxWeDVnlB2HyoeXxcmXFDpHvuZwm5+O66mNaQFwpzajNwRNNv8fhDHyb5BxNg6z4A2pPkRxlly6VXLeHgv1CEHEbcBCl9p29SKefLaywu69n/VceMNMwY0j++yhs5bBruVHtoT6Ebfu5IkLWZpxCjSRmixdh1DsNI202OvIORbUZmMzlMgAhBnUCDeWZW38WpL2FkTvftohcvdy2eMwxFQbnFlacNq8G+5D31USCAaN8Gx4/NCfRZDELlV9Xtk59NeaihFec1mHfZxqqeaBLCJ2zh20V5Tn8akz4Odx1J+GOA1CNOZyHnRlRqVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0RaNR7WgMP4WIddm6yoDMVi6HaxebGnEREfWp26/BHo=; b=C3VOuJreo3O2Ip/CI6oVzdp8GXl8EyslhSsZ7rBl8DtRWj4qtCt/wSDw3cSKyljLTJXT2ifltIlWWbC6vU/4xHMTduMtGbJENVwJAlkCKaKabOOiIZL01myc+32fEcB5cpsv7PMIwBr70tn+LeWONG9wD7mEpIkvNi2gluvMVs8=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0290.EURP190.PROD.OUTLOOK.COM (10.161.92.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Thu, 2 Apr 2020 06:46:59 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2856.019; Thu, 2 Apr 2020 06:46:59 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: Benjamin Kaduk <kaduk@mit.edu>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
Thread-Index: AQHWBu/ZmuKBXSTnP0+1TFNY1ukEm6hh9VUAgADXdgCAAF8PAIAAzCFwgAC2ZACAALWwgA==
Date: Thu, 2 Apr 2020 06:46:59 +0000
Message-ID: <AM5P190MB027524F2D1530746DD48C4DDFDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <5633.1585770340@localhost>
In-Reply-To: <5633.1585770340@localhost>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 278506d2-1943-4e7e-f6b5-08d7d6d1a4bc
x-ms-traffictypediagnostic: AM5P190MB0290:
x-microsoft-antispam-prvs: <AM5P190MB0290BDBFE1AD262F0CED5C01FDC60@AM5P190MB0290.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0361212EA8
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(346002)(396003)(136003)(376002)(366004)(39830400003)(55016002)(53546011)(966005)(52536014)(316002)(508600001)(6506007)(7696005)(33656002)(5660300002)(66946007)(66446008)(26005)(76116006)(64756008)(66556008)(66476007)(186003)(71200400001)(8676002)(4326008)(86362001)(9686003)(54906003)(81156014)(81166006)(44832011)(2906002)(8936002); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8EiCqPop7kO2ni5B/6iK7LGwYhGhOg00wMqpd4yUrsbdQF80sviyfdMCkEkOXA5bOfO8jLm5ccR8NVeKt6iiA9ISjiEeOB3vcf5grq1qPGn4WwygF3n5jVsfzfk7+hwCCf8KV3/xobqSBRvqEopQVGONwFbz6RlB993uaj4KZELnUu1vLuw9Gtn8lta7V8gYpWYZXTb05auKPX/ydKW/DdJdmyojQYY7o7ewnZG8axs4M4+XTHTbJrG6CHf05zVANYROJyBM0PKZ4wQ4VfWTJ0BJDmAl/AJyRcLkKpeZxHtuAaEeY0oLOyTrlTXzXqNo3WvsZZG4GVL/9DcQNCgCtfp2Rd2D9B7FgnnuboD8KDVAM19yh8wm/388D2Zye9dLA4/MZAG/A7w3shAh7Uo3RiMjEGKrECOG95LHbPRE095bF9OoXkIKWbnVs0y5JUnNB402B5iA0I84nOpoEtAFPO+sSRXk39R89ra1x1h7kT4UlwmQTr9F/jDUCQuEYv4uRRzKmDnLWwXw1BiTpd5cAQ==
x-ms-exchange-antispam-messagedata: TeDVscwOKZW3OqRJkawj8sB7huOAxXWgfeBCKk2db3yzDWqzir3hWdAszEbemnPfLfmPc7eqcKVxSDERr30IN1yMvn4SsoTKie6fTISx/kAOqjnDc0aLvtgeg2074c1oq0htKdT5vJxip7S5h/1x9Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 278506d2-1943-4e7e-f6b5-08d7d6d1a4bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2020 06:46:59.5757 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mjpbzeoaJtTouhucM4qDjuot0DzwsFxe8gyRJY8W2zPRZKtfxRprAeG4jLc0jehjPbZVf2Lw8gJtYtx8Klqn8JybVk1TMMhHAbYQlI5OUYQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0290
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/AliDSft2nmHFZr9qaTjnVVjxzgo>
Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 06:47:07 -0000

> I believe that we concur on the uses.
> I'm not sure if you are saying the CA:TRUE is a requirement.
> I do not want to mandate that.  CA:TRUE is, of course, acceptable.

The current BRSKI text to me suggests that CA:TRUE is a requirement for the pinned-domain-cert. But I'm okay with not having CA:TRUE for this certificate, as you propose, in which case I think the BRSKI text needs some minor updates on the wording.
For example, if it's just a Registrar cert with CA:FALSE and RA:TRUE then it shouldn't be called a "domain CA" cert or "domain cert".

If the Registrar is not a CA, it does need to be a Registration Authority (RA). (See Section 2.5.3 / 2.5.5 / 5.5.4 / https://tools.ietf.org/html/rfc6402#section-2.10 )
So the requirement for the pinned cert is that it is either RA or CA.  (Both seems also possible to encode in the cert, although that seems equivalent to a CA.)

Esko

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Wednesday, April 1, 2020 21:46
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Benjamin Kaduk <kaduk@mit.edu>du>; anima@ietf.org
Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)


Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
    > Based on the discussion, trying to list some practical cases we can
    > have of the pinned-domain-cert:

I believe that we concur on the uses.
I'm not sure if you are saying the CA:TRUE is a requirement.
I do not want to mandate that.  CA:TRUE is, of course, acceptable.

I think that today's revised text supports all of your use cases.
If you find some fell out of bounds, then it's a mistake.

    > In the latter case, the self-signed limited-scope root CA will
    > typically be used as the pinned-domain-cert. And the EST server will
    > create certificates signed by this same root CA.

I believe that by number of Registrar's the self-signed private CA will be
the most common.   It is what I have suggested in
draft-richardson-anima-registrar-operations.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-