[Anima] draft-ietf-anim-brski-ae-08 review (was: Re: I-D Action: draft-ietf-anima-brski-ae-09.txt)
Toerless Eckert <tte@cs.fau.de> Thu, 21 December 2023 16:07 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B43CC06F220 for <anima@ietfa.amsl.com>; Thu, 21 Dec 2023 08:07:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.658
X-Spam-Level:
X-Spam-Status: No, score=-6.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B40lVuZEr18U for <anima@ietfa.amsl.com>; Thu, 21 Dec 2023 08:06:55 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D470C151092 for <anima@ietf.org>; Thu, 21 Dec 2023 08:06:53 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4SwwKh5196znkbJ for <anima@ietf.org>; Thu, 21 Dec 2023 17:06:48 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4SwwKh4DSmzkmKg; Thu, 21 Dec 2023 17:06:48 +0100 (CET)
Date: Thu, 21 Dec 2023 17:06:48 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: anima@ietf.org
Message-ID: <ZYRimO0dTJez8BLS@faui48e.informatik.uni-erlangen.de>
References: <170300944223.55321.7286258314361637093@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <170300944223.55321.7286258314361637093@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/QyEq3iB_GsYHO84b1bXpXLADCqg>
Subject: [Anima] draft-ietf-anim-brski-ae-08 review (was: Re: I-D Action: draft-ietf-anima-brski-ae-09.txt)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 16:07:00 -0000
Attached just for the record the review of draft-ietf-anima-brski-ae-08 that lead to -08. All issues have nicely been resolved in -09, will now post shepherd writeup. Thanks a lot Toerless >From eckert Tue Dec 5 16:42:31 2023 Date: Tue, 5 Dec 2023 16:42:31 +0100 To: draft-ietf-anima-brski-ae@ietf.org Subject: Pre: review of draft-ietf-anima-brski-ae-08 Message-ID: <ZW9E54KuMgrVn7uu@faui48e.informatik.uni-erlangen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline rom: Toerless Eckert <tte@cs.fau.de> Status: RO Content-Length: 92164 Lines: 1927 pre-post to authors, final will go to list. main two issues which we can hopefully sort out in todays call. - title name change - removal of 624-629 Cheers Toerless --- Dear BRSKI-AE authors Thank you very much for this work. This review is part of the documents Shepherd review, in which i will refer to this text and which i'll post soon I think the document is in very good shape with just very few issue left which i think are easy to fix. Sorry for requesting some knucklehead formalisms, but they are going to be helpful to novices in the field who will read the RFC. I will refrain from trying to proof-read the english except for few to me seemingly obvious cases because i am not a native english speaker either. Format is idnits. --- draft-ietf-anima-brski-ae-08.txt: == Missing Reference: 'LCMPP' is mentioned on line 465, but not defined == Outdated reference: draft-ietf-ace-cmpv2-coap-transport has been published as RFC 9482 2 ANIMA WG D. von Oheimb, Ed. 3 Internet-Draft S. Fries 4 Intended status: Standards Track H. Brockhaus 5 Expires: 2 June 2024 Siemens 6 30 November 2023 8 BRSKI-AE: Alternative Enrollment Protocols in BRSKI 9 draft-ietf-anima-brski-ae-08 11 Abstract 13 This document defines an enhancement of Bootstrapping Remote Secure 14 Key Infrastructure (BRSKI, RFC 8995) that supports alternative 15 certificate enrollment protocols, such as CMP. This offers the 16 following advantages. Major: During IETF/IESG review of what became RFC9262, we had a reviewer who did not like the target name "Traffic Engineering for BIER" (because of ultimately not too shabby arguments), so we had to have a re-naming contest in the WG and finally renamed it to "Tree Engineering". Now, when i look at "Alternative Enrollment" protocols and read the text, even this abstract, then i am thinking that a significant part of the text is about those protocols having to support authenticate self-contained signed objects. Which does really not become clear from the title and name "alternative". Alternative for example could also describe a protocol which like EST does NOT meet the the requirements that this document defines as MUST So: How about renaming this document to "Advantageous Enrollment Protocols in BRSKI", and simply define "advantageous" to be protocols supporting "authenticated self-contained signed objects". Which pretty much is what this document does anyhow - already in this abstract. Aka: Change title, add sentence making it clear this document defines advantageous to men supporting authenticated self-contained signed objects", go through the text, replace all instances of "alternative" with "advantageous" (unless there is a reason in specific instances not to - but i don't think there is such an instance). 18 Using authenticated self-contained signed objects for certification 19 requests and responses, their origin can be authenticated 20 independently of message transfer. This supports end-to-end 21 authentication (proof of origin) also over multiple hops, as well as 22 asynchronous operation of certificate enrollment. This in turn 23 provides architectural flexibility where to ultimately authenticate s/where/where and when/ ?? 24 and authorize certification requests while retaining full-strength 25 integrity and authenticity of certification requests. 27 About This Document 29 This note is to be removed before publishing as an RFC. 31 Status information for this document may be found at 32 https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/. 34 Source for this draft and an issue tracker can be found at 35 https://github.com/anima-wg/anima-brski-ae. 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at https://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on 2 June 2024. 54 Copyright Notice 56 Copyright (c) 2023 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 61 license-info) in effect on the date of publication of this document. 62 Please review these documents carefully, as they describe your rights 63 and restrictions with respect to this document. Code Components 64 extracted from this document must include Revised BSD License text as 65 described in Section 4.e of the Trust Legal Provisions and are 66 provided without warranty as described in the Revised BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 1.1. Supported Scenarios . . . . . . . . . . . . . . . . . . . 4 72 1.2. List of Application Examples . . . . . . . . . . . . . . 5 73 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 74 3. Basic Requirements and Mapping to Solutions . . . . . . . . . 7 75 3.1. Solution Options for Proof of Possession . . . . . . . . 7 76 3.2. Solution Options for Proof of Identity . . . . . . . . . 8 77 4. Adaptations to BRSKI . . . . . . . . . . . . . . . . . . . . 9 78 4.1. Architecture . . . . . . . . . . . . . . . . . . . . . . 10 79 4.2. Message Exchange . . . . . . . . . . . . . . . . . . . . 14 80 4.2.1. Pledge - Registrar Discovery . . . . . . . . . . . . 14 81 4.2.2. Pledge - Registrar - MASA Voucher Exchange . . . . . 14 82 4.2.3. Pledge - Registrar - MASA Voucher Status Telemetry . 15 83 4.2.4. Pledge - Registrar - RA/CA Certificate Enrollment . . 15 84 4.2.5. Pledge - Registrar Enrollment Status Telemetry . . . 18 85 4.3. Enhancements to the Endpoint Addressing Scheme of 86 BRSKI . . . . . . . . . . . . . . . . . . . . . . . . . . 18 87 5. Instantiation to Existing Enrollment Protocols . . . . . . . 20 88 5.1. BRSKI-CMP: Instantiation to CMP . . . . . . . . . . . . . 20 89 5.2. Support of Other Enrollment Protocols . . . . . . . . . . 22 90 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 91 7. Security Considerations . . . . . . . . . . . . . . . . . . . 22 92 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 93 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 94 9.1. Normative References . . . . . . . . . . . . . . . . . . 24 95 9.2. Informative References . . . . . . . . . . . . . . . . . 24 96 Appendix A. Application Examples . . . . . . . . . . . . . . . . 27 97 A.1. Rolling Stock . . . . . . . . . . . . . . . . . . . . . . 27 98 A.2. Building Automation . . . . . . . . . . . . . . . . . . . 27 99 A.3. Substation Automation . . . . . . . . . . . . . . . . . . 28 100 A.4. Electric Vehicle Charging Infrastructure . . . . . . . . 28 101 A.5. Infrastructure Isolation Policy . . . . . . . . . . . . . 29 102 A.6. Sites with Insufficient Level of Operational Security . . 29 103 Appendix B. History of Changes TBD RFC Editor: please delete . . 29 104 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 38 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 107 1. Introduction 109 BRSKI [RFC8995] is typically used with EST as the enrollment protocol Please expand on first use (EAFU) every "normal" abbreviation e.g. here "Enrollment over Secure Transport", and provide a reference for it if it exists (e.g.: RFC7030 here). Reference should also be included in the terminology definition of abbreviations. A normal abbreviation is one which does not have a "*" after it in: https://www.rfc-editor.org/materials/abbrev.expansion.txt Those with "*" are considered well-known and don't require expansion or references as far as RFC Editor is concerned. E.g.: HTTP or TLS. Security experts may still ask you for version numbers of TLS and references for it, but you can let that be a problem of SEC AD review. If you use an abbreviation that is not in the abbreviation list, please make a remark for RFC editor to consider adding it if you think it's important enough. If you think there is a specific abbreviation that should be marked as well-known, you can also have that argument with RFC-Editor, likely during AUTH48 (aka: some time away). (This whole knucklehead details about abbreviations and references brought to you with kudos to Brian Carpenter, who made me a fan when he asked me for all the same in RFC8994 ;-)) 110 for device certificates employing HTTP over TLS for its message 111 transfer. BRSKI-AE is a variant using alternative enrollment 112 protocols with authenticated self-contained objects for device 113 certificate enrollment. 115 This specification carries over the main characteristics of BRSKI, 116 namely: 118 * The pledge is assumed to have got IDevID credentials during its s/got/received/ EOFU: IDevID, reference is 802.1AR, 119 production. It uses them to authenticate itself to the MASA, the reference for MASA: RFC8995 120 Manufacturer Authorized Signing Authority, and to the registrar, 121 the access point of the target domain, and to possibly further 122 components of the domain where it will be operated. 124 * The pledge first obtains via the voucher exchange a trust anchor voucher [RFC8366] 125 for authenticating entities in the domain such as the domain 126 registrar. 128 * The pledge then generates a device private key, called the LDevID EOFU: LDevID, reference 802.1AR 129 secret, and obtains a domain-specific device certificate, called 130 the LDevID certificate, along with its certificate chain. 132 The goals of BRSKI-AE are to provide an enhancement of BRSKI for 133 LDevID certificate enrollment using, alternatively to EST, a protocol 134 that 136 * supports end-to-end authentication over multiple hops 138 * enables secure message exchange over any kind of transfer, 139 including asynchronous delivery. 141 Note: The BRSKI voucher exchange of the pledge with the registrar and 142 MASA uses authenticated self-contained objects, so the voucher 143 exchange already has these properties. 145 The well-known URI approach of BRSKI and EST messages is extended 146 with an additional path element indicating the enrollment protocol 147 being used. 149 Based on the definition of the overall approach and specific 150 endpoints, this specification enables the registrar to offer multiple 151 enrollment protocols, from which pledges and their developers can 152 then pick the most suitable one. 154 Note: BRSKI (RFC 8995) specifies how to use HTTP over TLS, but 155 further variants are known, such as Constrained BRSKI 156 [I-D.ietf-anima-constrained-voucher] using CoAP over DTLS. In the 157 sequel, 'HTTP' and 'TLS' are just references to the most common case, 158 where variants such as using CoAP and/or DTLS are meant to be 159 subsumed - the differences are not relevant here. minor: suggest to add text like the following to make the scope of the document clearer. This specification is sufficient together with its references to support BRSKI with Lightweight CMP Profile (LCMPP) [RFC9483]. Combining BRSKI with a protocol or profile other than LCMPP will require additional IANA registrations based on the rules specified in this document. It may also require additional protocol specifications for details of the protocol/profile (similar to [RFC9483]), which are outside the scope of this document. 161 1.1. Supported Scenarios 163 BRSKI-AE is intended to be used situations like the following. 165 * pledges and/or the target domain reusing an already established 166 certificate enrollment protocol different from EST, such as CMP EOFU, reference: CMP Whow, CMP is not in RFC editor list. Shame on SEC area, please get that fixed. LCMPP neither. E.g.: find place at the end , add [RFC-Editor]: please add CMP, ..., LCMPP, ... to RFC-editor abbreviations list - This should have been caught during RFC9483 ;-) 168 * scenarios indirectly excluding the use of EST for certificate 169 enrollment, such as: 171 - the RA not being co-located with the registrar while requiring EAFU: RA, not sure which reference 172 end-to-end authentication of requesters, which EST does not 173 support over multiple hops 175 - the RA or CA operator requiring auditable proof of origin of EAFU: CA, not sure which reference. 176 CSRs, which is not possible neither with the transient source 177 authentication provided by TLS. 179 - certificate requests for types of keys that do not support 180 signing, such as KEM and key agreement keys, which is not EAFU: KEM 181 supported by EST because it uses PKCS#10 CSRs expecting proof- EAFU: PKCS#10, CSR... 182 of-possession via a self-signature 184 - pledge implementations using security libraries not providing 185 EST support or a TLS library that does not support providing 186 the so-called tls-unique value [RFC5929] needed by EST for 187 strong binding of the source authentication 189 * no full RA functionality being available on-site in the target 190 domain, while connectivity to an off-site RA may be intermittent 191 or entirely offline. 193 * authoritative actions of a local RA at the registrar being not 194 sufficient for fully and reliably authorizing pledge certification 195 requests, which may be due to missing data access or due to an 196 insufficient level of security, for instance regarding the local 197 storage of private keys 199 1.2. List of Application Examples 201 Bootstrapping can be handled in various ways, depending on the 202 application domains. The informative Appendix A provides 203 illustrative examples from various industrial control system 204 environments and operational setups. They motivate the support of 205 alternative enrollment protocols, based on the following examples of 206 operational environments: 208 * rolling stock 210 * building automation 212 * electrical substation automation 214 * electric vehicle charging infrastructures 216 * infrastructure isolation policy 218 * sites with insufficient level of operational security 220 2. Terminology 222 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 223 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 224 "OPTIONAL" in this document are to be interpreted as described in 225 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 226 capitals, as shown here. 228 This document relies on the terminology defined in [RFC8995], 229 [RFC5280], and [IEEE_802.1AR-2018]. The following terms are 230 described partly in addition. 232 asynchronous communication: time-wise interrupted delivery of 233 messages, here between a pledge and the registrar or an RA 235 authenticated self-contained object: data structure that is 236 cryptographically bound to the identity of its originator by an 237 attached digital signature on the actual object, using a private 238 key of the originator such as the IDevID secret. 240 backend: placement of a domain component separately from the domain 241 registrar; may be on-site or off-site 243 BRSKI-AE: BRSKI with *A*lternative *E*nrollment, a variation of 244 BRSKI [RFC8995] in which BRSKI-EST, the enrollment protocol 245 between pledge and the registrar, is replaced by enrollment 246 protocols that support end-to-end authentication of the pledge to 247 the RA, such as Lightweight CMP. 249 local RA (LRA): a subordinate RA that is close to entities being 250 enrolled and separate from a subsequent RA. In BRSKI-AE it is 251 needed if a backend RA is used, and in this case the LRA is co- 252 located with the registrar. 254 LCMPP: Lightweight CMP Profile [RFC9483] 256 on-site: locality of a component or service or functionality at the 257 site of the registrar 259 off-site: locality of component or service or functionality, such as 260 RA or CA, not at the site of the registrar. This may be a central 261 site or a cloud service, to which connection may be intermittent. 263 pledge: device that is to be bootstrapped to a target domain. It 264 requests an LDevID, a Locally significant Device IDentifier, using 265 IDevID credentials installed by its manufacturer. 267 RA: Registration Authority, the PKI component to which a CA 268 typically delegates certificate management functions such as 269 authenticating pledges and performing authorization checks on 270 certification requests 272 registrar: short for domain registrar 274 site: the locality where an entity, such as a pledge, registrar, or 275 PKI component is deployed. The target domain may have multiple 276 sites. 278 synchronous communication: time-wise uninterrupted delivery of 279 messages, here between a pledge and a registrar or PKI component 281 target domain: the domain that a pledge is going to be bootstrapped 282 to s/to/into/ 284 3. Basic Requirements and Mapping to Solutions 286 Based on the intended target scenarios described in Section 1.1 and 287 the application examples described in Appendix A, the following 288 requirements are derived to support authenticated self-contained 289 objects as containers carrying certification requests. 291 At least the following properties are required for a certification 292 request: 294 * Proof of possession: demonstrates access to the private key 295 corresponding to the public key contained in a certification 296 request. This is typically achieved by a self-signature using the 297 corresponding private key but can also be achieved indirectly, see 298 [RFC4210], Section 4.3. 300 * Proof of identity, also called proof of origin: provides data 301 origin authentication of the certification request. Typically 302 this is achieved by a signature using the pledge IDevID secret 303 over some data, which needs to include a sufficiently strong 304 identifier of the pledge, such as the device serial number 305 typically included in the subject of the IDevID certificate. 307 The rest of this section gives an non-exhaustive list of solution 308 examples, based on existing technology described in IETF documents: 310 3.1. Solution Options for Proof of Possession 312 Certificate signing request (CSR) objects: CSRs are data structures 313 protecting only the integrity of the contained data and providing 314 proof of possession for a (locally generated) private key. Important 315 types of CSR data structures are: 317 * PKCS#10 [RFC2986]. This very common form of CSR is self-signed to 318 protect its integrity and to prove possession of the private key 319 that corresponds to the public key included in the request. 321 * CRMF [RFC4211]. This less common but more general CSR format EAFU CRMF 322 supports several ways of integrity protection and proof of 323 possession- Typically a self-signature is used generated over 324 (part of) the structure with the private key corresponding to the 325 included public key. CRMF also supports further proof-of- 326 possession methods for types of keys that do not have signing 327 capability. For details see [RFC4211], Section 4. 329 Note: The integrity protection of CSRs includes the public key 330 because it is part of the data signed by the corresponding private 331 key. Yet this signature does not provide data origin authentication, 332 i.e., proof of identity of the requester because the key pair 333 involved is fresh. 335 3.2. Solution Options for Proof of Identity 337 Binding a certificate signing request (CSR) to an existing 338 authenticated credential (the BRSKI context, the IDevID certificate) 339 enables proof of origin, which in turn supports an authorization 340 decision on the CSR. 342 The binding of data origin authentication to the CSR is typically 343 delegated to the protocol used for certificate management. This 344 binding may be achieved through security options in an underlying 345 transport protocol such as TLS if the authorization of the 346 certification request is (sufficiently) done at the next 347 communication hop. Depending on the key type, the binding can also 348 be done in a stronger, transport-independent way by wrapping the CSR 349 with a signature. 351 This requirement is addressed by existing enrollment protocols in 352 various ways, such as: 354 * EST [RFC7030], also its variant EST-coaps [RFC9148], utilizes 355 PKCS#10 to encode Certificate Signing Requests (CSRs). While such 356 a CSR was not designed to include a proof of origin, there is a 357 limited, indirect way of binding it to the source authentication 358 of the underlying TLS session. This is achieved by including in 359 the CSR the tls-unique value [RFC5929] resulting from the TLS 360 handshake. As this is optionally supported by the EST 361 "/simpleenroll" endpoint used in BRSKI and the TLS handshake 362 employed in BRSKI includes certificate-based client authentication 363 of the pledge with its IDevID credentials, the proof of pledge 364 identity being an authenticated TLS client can be bound to the 365 CSR. 367 Yet this binding is only valid in the context of the TLS session 368 established with the registrar acting as the EST server and 369 typically also as an RA. So even such a cryptographic binding of 370 the authenticated pledge identity to the CSR is not visible nor 371 verifiable to authorization points outside the registrar, such as 372 a RA in the backend. What the registrar must do is to s/a/a (second)/ ?? (because you start explaning the initial registrar is also RA.) 373 authenticate and pre-authorize the pledge and to indicate this to 374 the RA by signing the forwarded certificate request with its s/RA/(second) RA/ ? 375 private key and a related certificate that has the id-kp-cmcRA 376 extended key usage attribute. 378 [RFC7030], Section 2.5 sketches wrapping PKCS#10-formatted CSRs 379 with a Full PKI Request message sent to the "/fullcmc" endpoint. 380 This would allow for source authentication at message level, such 381 that the registrar could forward it to external RAs in a 382 meaningful way. This approach is so far not sufficiently 383 described and likely has not been implemented. 385 * SCEP [RFC8894] supports using a shared secret (passphrase) or an 386 existing certificate to protect CSRs based on SCEP Secure Message 387 Objects using CMS wrapping ([RFC5652]). Note that the wrapping 388 using an existing IDevID in SCEP is referred to as 'renewal'. 389 This way SCEP does not rely on the security of the underlying 390 message transfer. 392 * CMP [RFC4210] supports using a shared secret (passphrase) or an 393 existing certificate, which may be an IDevID credential, to 394 authenticate certification requests via the PKIProtection 395 structure in a PKIMessage. The certification request is typically 396 encoded utilizing CRMF, while PKCS#10 is supported as an 397 alternative. Thus, CMP does not rely on the security of the 398 underlying message transfer. 400 * CMC [RFC5272] also supports utilizing a shared secret (passphrase) 401 or an existing certificate to protect certification requests, 402 which can be either in CRMF or PKCS#10 structure. The proof of 403 identity can be provided as part of a FullCMCRequest, based on CMS 404 [RFC5652] and signed with an existing IDevID secret. Thus also 405 CMC does not rely on the security of the underlying message 406 transfer. This would be a place for a quick summary stating that EST does not meet the advantageous requirements of this document, but CMP, CMC and SCEP do meet them, and maybe another sentence to say why this document primarily focusses on specifying details for LCMPP ? 408 4. Adaptations to BRSKI 410 To enable using alternative certificate enrollment protocols 411 supporting end-to-end authentication, asynchronous enrollment, and 412 more general system architectures, BRSKI-AE provides some 413 generalizations on BRSKI [RFC8995]. This way, authenticated self- 414 contained objects such as those described in Section 3 above can be 415 used for certificate enrollment, and RA functionality can be 416 distributed freely in the target domain. 418 The enhancements needed are kept to a minimum in order to ensure 419 reuse of already defined architecture elements and interactions. In 420 general, the communication follows the BRSKI model and utilizes the 421 existing BRSKI architecture elements. In particular, the pledge 422 initiates communication with the domain registrar and interacts with 423 the MASA as usual for voucher request and response processing. 425 4.1. Architecture 427 The key element of BRSKI-AE is that the authorization of a 428 certification request MUST be performed based on an authenticated 429 self-contained object. The certification request is bound in a self- 430 contained way to a proof of origin based on the IDevID credentials. 431 Consequently, the certification request may be transferred using any 432 mechanism or protocol. Authentication and authorization of the 433 certification request can be done by the domain registrar and/or by 434 backend domain components. As mentioned in Section 1.1, these 435 components may be offline or off-site. The registrar and other on- 436 site domain components may have no or only temporary (intermittent) 437 connectivity to them. 439 This leads to generalizations in the placement and enhancements of 440 the logical elements as shown in Figure 1. 442 +------------------------+ 443 +--------------Drop-Ship------------->| Vendor Service | 444 | +------------------------+ 445 | | M anufacturer| | 446 | | A uthorized |Ownership| 447 | | S igning |Tracker | 448 | | A uthority | | 449 | +--------------+---------+ 450 | ^ 451 | | 452 V | 453 +--------+ ......................................... | 454 | | . . | BRSKI- 455 | | . +-------+ +--------------+ . | MASA 456 | Pledge | . | Join | | Domain |<----+ 457 | |<------>| Proxy |<-------->| Registrar w/ | . 458 | | . |.......| | LRA or RA | . 459 | IDevID | . +-------+ +--------------+ . 460 | | BRSKI-AE over TLS ^ . 461 +--------+ using, e.g., [LCMPP] | . 462 . | . 463 ...............................|......... 464 on-site (local) domain components | 465 | e.g., [LCMPP] 466 | 467 .............................................|.................. 468 . Public-Key Infrastructure v . 469 . +---------+ +------------------------------------------+ . 470 . | |<----+ Registration Authority | . 471 . | CA +---->| RA (unless part of Domain Registrar) | . 472 . +---------+ +------------------------------------------+ . 473 ................................................................ 474 backend (central or off-site) domain components 476 Figure 1: Architecture Overview Using Backend PKI Components 478 The architecture overview in Figure 1 has the same logical elements 479 as BRSKI, but with more flexible placement of the authentication and 480 authorization checks on certification requests. Depending on the 481 application scenario, the registrar MAY still do all of these checks 482 (as is the case in BRSKI), or part of them. 484 The following list describes the on-site components in the target 485 domain of the pledge shown in Figure 1. 487 * Join Proxy: same functionality as described in BRSKI [RFC8995], 488 Section 4 490 * Domain Registrar including LRA or RA functionality: in BRSKI-AE, 491 the domain registrar has mostly the same functionality as in 492 BRSKI, namely to act as the gatekeeper of the domain for 493 onboarding new devices and to facilitate the communication of 494 pledges with their MASA and the domain PKI. Yet there are some 495 generalizations and specific requirements: 497 1. The registrar MUST support at least one certificate enrollment 498 protocol with authenticated self-contained objects for 499 certification requests. To this end, the URI scheme for 500 addressing endpoints at the registrar is generalized (see 501 Section 4.3). 503 2. Rather than having full RA functionality, the registrar MAY 504 act as a local registration authority (LRA) and delegate part 505 of its involvement in certificate enrollment to a backend RA, 506 called RA. In such scenarios the registrar optionally checks 507 certification requests it receives from pledges and forwards 508 them to the RA. The RA performs the remaining parts of the 509 enrollment request validation and authorization. Note that to 510 this end the RA may need information regarding the 511 authorization of pledges from the registrar or from other 512 sources. On the way back, the registrar forwards responses by 513 the PKI to the pledge on the same channel. 515 Note: In order to support end-to-end authentication of the 516 pledge across the registrar to the RA, the certification 517 request structure signed by the pledge needs to be retained by 518 the registrar, and the registrar cannot use for its 519 communication with the PKI a enrollment protocol different to 520 the one used by the pledge. 522 3. The use of a certificate enrollment protocol with 523 authenticated self-contained objects gives freedom how to 524 transfer enrollment messages between pledge and RA. 525 Regardless how this transfer is protected and how messages are 526 routed, also in case that the RA is not part of the registrar 527 it MUST be guaranteed, like in BRSKI, that the RA accepts 528 certification requests for LDevIDs only with the consent of 529 the registrar. See Section 7 for details how this can be 530 achieved. 532 Despite of the above generalizations to the enrollment phase, the 533 final step of BRSKI, namely the enrollment status telemetry, is kept 534 as it is. 536 The following list describes the components provided by the vendor or 537 manufacturer outside the target domain. 539 * MASA: functionality as described in BRSKI [RFC8995]. The voucher 540 exchange with the MASA via the domain registrar is performed as 541 described in BRSKI. 543 Note: From the definition of the interaction with the MASA in 544 [RFC8995], Section 5 follows that it may be synchronous (using 545 voucher request with nonces) or asynchronous (using nonceless 546 voucher requests). 548 * Ownership tracker: as defined in BRSKI. 550 The following list describes backend target domain components, which 551 may be located on-site or off-site in the target domain. 553 * RA: performs centralized certificate management functions as a 554 public-key infrastructure for the domain operator. As far as not 555 already done by the domain registrar, it performs the final 556 validation and authorization of certification requests. 557 Otherwise, the RA co-located with the domain registrar directly 558 connects to the CA. 560 * CA, also called domain CA: generates domain-specific certificates 561 according to certification requests that have been authenticated 562 and authorized by the registrar and/or and an extra RA. 564 Based on the diagram in BRSKI [RFC8995], Section 2.1 and the 565 architectural changes, the original protocol flow is divided into 566 several phases showing commonalities and differences to the original 567 approach as follows. 569 * Discovery phase: mostly as in BRSKI step (1). For details see 570 Section 4.2.1. 572 * Identification phase: same as in BRSKI step (2). 574 * Voucher exchange phase: same as in BRSKI steps (3) and (4). 576 * Voucher status telemetry: same as in BRSKI directly after step 577 (4). 579 * Certificate enrollment phase: the use of EST in step (5) is 580 changed to employing a certificate enrollment protocol that uses 581 an authenticated self-contained object for requesting the LDevID 582 certificate. 584 For transporting the certificate enrollment request and response 585 messages, the (D)TLS channel established between pledge and 586 registrar is RECOMMENDED to use. To this end, the enrollment 587 protocol, the pledge, and the registrar need to support the usage 588 of the existing channel for certificate enrollment. Due to this 589 recommended architecture, typically the pledge does not need to 590 establish additional connections for certificate enrollment and 591 the registrar retains full control over the certificate enrollment 592 traffic. 594 * Enrollment status telemetry: the final exchange of BRSKI step (5). 596 4.2. Message Exchange 598 The behavior of a pledge described in BRSKI [RFC8995], Section 2.1 is 599 kept, with one major exception. After finishing the Imprint step 600 (4), the Enroll step (5) MUST be performed with an enrollment 601 protocol utilizing authenticated self-contained objects, as explained 602 in Section 3. Section 5 discusses selected suitable enrollment 603 protocols and options applicable. 605 An abstract overview of the BRSKI-AE protocol can be found at 606 [BRSKI-AE-overview]. 608 4.2.1. Pledge - Registrar Discovery 610 Discovery as specified in BRSKI [RFC8995], Section 4 does not support 611 discovery of registrars with enhanced feature sets. A pledge cannot 612 find out in this way whether discovered registrars support the 613 certificate enrollment protocol it expects, such as CMP. 615 As a more general solution, the BRSKI discovery mechanism can be 616 extended to provide upfront information on the capabilities of 617 registrars. Future work such as [I-D.eckert-anima-brski-discovery] 618 may provide this. 620 In the absence of such a generally applicable solution, BRSKI-AE 621 deployments may use their particular way of doing discovery. 622 Section 5.1 defines a minimalist approach that MAY be used for CMP. 624 In controlled environments where the specific BRSKI features required 625 by pledges and the features supported by the registrar(s) are known 626 and considered during engineering, also the following optimistic 627 approach MAY be followed. Each pledge simply assumes that all 628 registrars involved support BRSKI-AE with the enrollment protocol(s) 629 that it requires. I thought the conclusion of our IETF118 side meeting was to remove paragraph 624 - 629 in favor of the text from 620-622/section 5.1 for brski-lcmpp. Aka: please remove 624-629. But Feel free to add after 622: Similar approaches may be used for other advantageous enrollment protocols. Aka: Whenever someone wants to use another protocol like SCEP or CMC, and brski-discovery is not ready then, they'd need to specify a new service name. No big deal. Just not scalable or preferred. 631 4.2.2. Pledge - Registrar - MASA Voucher Exchange 633 The voucher exchange is performed as specified in [RFC8995]. 635 4.2.3. Pledge - Registrar - MASA Voucher Status Telemetry 637 The voucher status telemetry is performed as specified in [RFC8995], 638 Section 5.7. 640 4.2.4. Pledge - Registrar - RA/CA Certificate Enrollment 642 This replaces the EST integration for PKI bootstrapping described in 643 [RFC8995], Section 5.9 (while [RFC8995], Section 5.9.4 remains as the 644 final phase, see below). 646 The certificate enrollment phase may involve transmission of several 647 messages. Details can depend on the application scenario, the 648 employed enrollment protocol, and other factors. 650 The only message exchange REQUIRED is for the actual certificate 651 request and response. Further message exchanges MAY be performed as 652 needed. 654 Note: The message exchanges marked OPTIONAL in the below Figure 2 655 cover all those supported by the use of EST in BRSKI. The last 656 OPTIONAL one, namely certificate confirmation, is not supported by 657 EST, but by CMP and other enrollment protocols. 659 +--------+ +------------+ +------------+ 660 | Pledge | | Domain | | Operator | 661 | | | Registrar | | RA/CA | 662 | | | (JRC) | | (PKI) | 663 +--------+ +------------+ +------------+ 664 | | | 665 | [OPTIONAL request of CA certificates] | | 666 |--------- CA Certs Request (1) --------->| | 667 | | [OPTIONAL forwarding] | 668 | |---CA Certs Request -->| 669 | |<--CA Certs Response---| 670 |<-------- CA Certs Response (2) ---------| | 671 | | | 672 | [OPTIONAL request of attributes | | 673 | to include in Certificate Request] | | 674 |--------- Attribute Request (3) -------->| | 675 | | [OPTIONAL forwarding] | 676 | |--- Attribute Req. --->| 677 | |<-- Attribute Resp. ---| 678 |<-------- Attribute Response (4) --------| | 679 | | | 680 | [REQUIRED certificate request] | | 681 |--------- Certificate Request (5) ------>| | 682 | | [OPTIONAL forwarding] | 683 | |--- Certificate Req.-->| 684 | |<--Certificate Resp.---| 685 |<-------- Certificate Response (6) ------| | 686 | | | 687 | [OPTIONAL certificate confirmation] | | 688 |--------- Certificate Confirm (7) ------>| | 689 | | [OPTIONAL forwarding] | 690 | |---Certificate Conf.-->| 691 | |<---- PKI Confirm -----| 692 |<-------- PKI/Registrar Confirm (8) -----| | 694 Figure 2: Certificate Enrollment 696 Note: Connections between the registrar and the PKI components of the 697 operator (RA, CA, etc.) may be intermittent or off-line. Messages 698 should be sent as soon as sufficient transfer capacity is available. 700 The label [OPTIONAL forwarding] in Figure 2 means that on receiving 701 from a pledge a request message of the given type, the registrar MAY 702 answer the request directly itself. In this case, it MUST 703 authenticate its responses with the same credentials as used for 704 authenticating itself at TLS level for the voucher exchange. 705 Otherwise the registrar MUST forward the request to the RA and 706 forward any resulting response back to the pledge. 708 Note: The decision whether to forward a request or to answer it 709 directly can depend on various static and dynamic factors. They 710 include the application scenario, the capabilities of the registrar 711 and of the local RA possibly co-located with the registrar, the 712 enrollment protocol being used, and the specific contents of the 713 request. 715 Note: There are several options how the registrar could be able to 716 directly answer requests for CA certificates or for certificate 717 request attributes. It could cache responses obtained from the 718 domain PKI and later use their contents for responding to requests 719 asking for the same data. The contents could also be explicit 720 provisioned at the registrar. 722 Note: Certificate requests typically need to be handled by the 723 backend PKI, but the registrar can answer them directly with an error 724 response in case it determines that such a request should be 725 rejected, for instance because is not properly authenticated or not 726 authorized. 727 Also certificate confirmation messages will usually be forwarded to 728 the backend PKI, but if the registrar knows that they are not needed 729 or wanted there it can acknowledge such messages directly. 731 The following list provides an abstract description of the flow 732 depicted in Figure 2. 734 * CA Certs Request (1): The pledge optionally requests the latest 735 relevant CA certificates. This ensures that the pledge has the 736 complete set of current CA certificates beyond the pinned-domain- 737 cert (which is contained in the voucher and may be just the domain 738 registrar certificate). 740 * CA Certs Response (2): This MUST contain any intermediate CA 741 certificates that the pledge may need to validate certificates and 742 MAY contain the LDevID trust anchor. 744 * Attribute Request (3): Typically, the automated bootstrapping 745 occurs without local administrative configuration of the pledge. 746 Nevertheless, there are cases in which the pledge may also include 747 additional attributes specific to the target domain into the 748 certification request. To get these attributes in advance, the 749 attribute request may be used. 751 For example, [RFC8994], Section 6.11.7.2 specifies how the 752 attribute request is used to signal to the pledge the acp-node- 753 name field required for enrollment into an ACP domain. 755 * Attribute Response (4): This MUST contain the attributes to be 756 included in the subsequent certification request. 758 * Certificate Request (5): This MUST contain the authenticated self- 759 contained object ensuring both proof of possession of the 760 corresponding private key and proof of identity of the requester. 762 * Certificate Response (6): This MUST contain on success the 763 requested certificate and MAY include further information, like 764 certificates of intermediate CAs and any additional trust anchors. 766 * Certificate Confirm (7): An optional confirmation sent after the 767 requested certificate has been received and validated. If sent, 768 it MUST contain a positive or negative confirmation by the pledge 769 to the PKI whether the certificate was successfully enrolled and 770 fits its needs. 772 * PKI/Registrar Confirm (8): An acknowledgment by the PKI that MUST 773 be sent on reception of the Cert Confirm. 775 The generic messages described above may be implemented using any 776 certificate enrollment protocol that supports authenticated self- 777 contained objects for the certificate request as described in 778 Section 3. Examples are available in Section 5. 780 Note that the optional certificate confirmation by the pledge to the 781 PKI described above is independent of the mandatory enrollment status 782 telemetry done between the pledge and the registrar in the final 783 phase of BRSKI-AE, described next. 785 4.2.5. Pledge - Registrar Enrollment Status Telemetry 787 The enrollment status telemetry is performed as specified in 788 [RFC8995], Section 5.9.4. 790 In BRSKI this is described as part of the certificate enrollment 791 step, but due to the generalization on the enrollment protocol 792 described in this document its regarded as a separate phase here. 794 4.3. Enhancements to the Endpoint Addressing Scheme of BRSKI 796 BRSKI-AE provides generalizations to the addressing scheme defined in 797 BRSKI [RFC8995], Section 5 to accommodate alternative enrollment 798 protocols that use authenticated self-contained objects for 799 certification requests. As this is supported by various existing 800 enrollment protocols, they can be employed without modifications to 801 existing RAs/CAs supporting the respective enrollment protocol (see 802 also Section 5). 804 The addressing scheme in BRSKI for certification requests and the 805 related CA certificates and CSR attributes retrieval functions uses 806 the definition from EST [RFC7030], here on the example of simple 807 enrollment: "/.well-known/est/simpleenroll". This approach is 808 generalized to the following notation: "/.well-known/<enrollment- 809 protocol>/<request>" in which <enrollment-protocol> refers to a 810 certificate enrollment protocol. Note that enrollment is considered 811 here a message sequence that contains at least a certification 812 request and a certification response. The following conventions are 813 used to provide maximal compatibility with BRSKI: 815 * <enrollment-protocol>: MUST reference the protocol being used. 816 Existing values include 'est' [RFC7030] as in BRSKI and 'cmp' as 817 in [RFC9483] and Section 5.1 below. Values for other existing 818 protocols such as CMC and SCEP, or for newly defined protocols are 819 outside the scope of this document. For use of the <enrollment- 820 protocol> and <request> URI components, they would need to s/to/to be/ 821 specified in a suitable RFC and placed into the Well-Known URIs 822 registry, like done for EST in [RFC7030]. s/like done/as/ 824 * <request>: if present, this path component MUST describe, 825 depending on the enrollment protocol being used, the operation 826 requested. Enrollment protocols are expected to define their 827 request endpoints, as done by existing protocols (see also 828 Section 5). 830 Well-known URIs for various endpoints on the domain registrar are 831 already defined as part of the base BRSKI specification or indirectly 832 by EST. In addition, alternative enrollment endpoints MAY be 833 supported at the registrar. 835 A pledge SHOULD use the endpoints defined for the enrollment 836 protocol(s) that it is capable of and is willing to use. It will 837 recognize whether its preferred protocol or the request that it tries 838 to perform is understood and supported by the domain registrar by 839 sending a request to its preferred enrollment endpoint according to 840 the above addressing scheme and evaluating the HTTP status code in 841 the response. If the pledge uses endpoints that are not 842 standardized, it risks that the registrar does not recognize and 843 accept them even if supporting the intended protocol and operation. 845 The following list of endpoints provides an illustrative example for 846 a domain registrar supporting several options for EST as well as for 847 CMP to be used in BRSKI-AE. The listing contains the supported 848 endpoints to which the pledge may connect for bootstrapping. This 849 includes the voucher handling as well as the enrollment endpoints. 850 The CMP-related enrollment endpoints are defined as well-known URIs 851 in CMP Updates [RFC9480] and the Lightweight CMP Profile [RFC9483]. 853 /.well-known/brski/voucherrequest 854 /.well-known/brski/voucher_status 855 /.well-known/brski/enrollstatus 856 /.well-known/est/cacerts 857 /.well-known/est/csrattrs 858 /.well-known/est/fullcmc 859 /.well-known/cmp/getcacerts 860 /.well-known/cmp/getcertreqtemplate 861 /.well-known/cmp/initialization 862 /.well-known/cmp/p10 864 5. Instantiation to Existing Enrollment Protocols 866 This section maps the generic requirements to support proof of 867 possession and proof of identity to selected existing certificate 868 enrollment protocols and specifies further aspects of using such 869 enrollment protocols in BRSKI-AE. 871 5.1. BRSKI-CMP: Instantiation to CMP 873 Instead of referring to CMP as specified in [RFC4210] and [RFC9480], 874 this document refers to the Lightweight CMP Profile (LCMPP) [RFC9483] 875 because the subset of CMP defined there is sufficient for the 876 functionality needed here. 878 When using CMP, adherence to the LCMPP [RFC9483] is REQUIRED. In 879 particular, the following specific requirements apply (cf. 880 Figure 2). 882 * CA Certs Request (1) and Response (2): 883 Requesting CA certificates over CMP is OPTIONAL. 884 If supported, it SHALL be implemented as specified in [RFC9483], 885 Section 4.3.1. 887 * Attribute Request (3) and Response (4): 888 Requesting certificate request attributes over CMP is OPTIONAL. 889 If supported, it SHALL be implemented as specified in [RFC9483], 890 Section 4.3.3. 892 Alternatively, the registrar MAY modify the contents of requested 893 certificate contents as specified in [RFC9483], Section 5.2.3.2. 895 * Certificate Request (5) and Response (6): 896 Certificates SHALL be requested and provided as specified in the 897 LCMPP [RFC9483], Section 4.1.1 (based on CRMF) or [RFC9483], 898 Section 4.1.4 (based on PKCS#10). 900 Proof of possession SHALL be provided in a way suitable for the 901 key type. Proof of identity SHALL be provided by signature-based 902 protection of the certification request message as outlined in 903 [RFC9483], Section 3.2 using the IDevID secret. 905 Note: When the registrar forwards a certification request by the 906 pledge to a backend RA, the registrar is recommended to wrap the 907 original certification request in a nested message signed with its 908 own credentials as described in [RFC9483], Section 5.2.2.1. This 909 explicitly conveys the consent by the registrar to the RA while 910 retaining the certification request with its proof of origin 911 provided by the pledge signature. 913 In case additional trust anchors (besides the pinned-domain-cert) 914 need to be conveyed to the pledge, this SHOULD be done in the 915 caPubs field of the certificate response message rather than in a 916 CA Certs Response. 918 * Certificate Confirm (7) and PKI/Registrar Confirm (8): 919 Explicit confirmation of new certificates to the RA/CA MAY be used 920 as specified in [RFC9483], Section 4.1.1. 922 Note: Independently of certificate confirmation within CMP, 923 enrollment status telemetry with the registrar will be performed 924 as described in BRSKI [RFC8995], Section 5.9.4. 926 * If delayed delivery of responses (for instance, to support 927 asynchronous enrollment) within CMP is needed, it SHALL be 928 performed as specified in Section 4.4 and Section 5.1.2 of 929 [RFC9483]. 931 Note: The way in which messages are exchanged between the registrar 932 and backend PKI components (i.e., RA or CA) is out of scope of this 933 document. Due to the general independence of CMP of message 934 transfer, it can be freely chosen according to the needs of the 935 application scenario (e.g., using HTTP), while security 936 considerations apply, see Section 7, and guidance can be found in 937 [RFC9483], Section 6. 939 BRSKI-AE with CMP can also be combined with Constrained BRSKI 940 [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment 941 message transport as described by CoAP Transport for CMP 942 [I-D.ietf-ace-cmpv2-coap-transport]. In this scenario, of course the 943 EST-specific parts of [I-D.ietf-anima-constrained-voucher] do not 944 apply. 946 For BRSKI-AE scenarios where a general solution (cf. Section 4.2.1) 947 for discovering registrars with CMP support is not available, the 948 following minimalist approach MAY be used. Perform discovery as 949 defined in BRSKI [RFC8995], Appendix B but using the service name 950 "brski-registrar-cmp" (defined in Section 6) instead of "brski- 951 registrar" (defined in [RFC8995], Section 8.6). Note that this 952 approach does not support join proxies. 954 5.2. Support of Other Enrollment Protocols 956 Further instantiations of BRSKI-AE can be done. They are left for 957 future work. 959 In particular, CMC [RFC5272] (using its in-band source authentication 960 options) and SCEP [RFC8894] (using its 'renewal' option) could be 961 used. 963 The fullCMC variant of EST sketched in [RFC7030], Section 2.5 might 964 also be used here. For EST-fullCMC further specification is 965 necessary. 967 6. IANA Considerations 969 This document requires one IANA action: register in the Service Name 970 and Transport Protocol Port Number Registry 971 (https://www.iana.org/assignments/service-names-port-numbers/service- 972 names-port-numbers.xhtml) the following service name. 974 *Service Name:* brski-registrar-cmp 975 *Transport Protocol(s):* tcp 976 *Assignee:* IESG iesg@ietf.org (mailto:iesg@ietf.org) 977 *Contact:* IESG iesg@ietf.org (mailto:iesg@ietf.org) 978 *Description:* Bootstrapping Remote Secure Key Infrastructure 979 registrar with CMP capabilities Please change the name to brski-registrar-lcmpp and the explanation accordingly to "...registrar with LCMPP profile [RFC9483]" 980 *Reference:* [THISRFC] 982 7. Security Considerations 984 The security considerations laid out in BRSKI [RFC8995] apply for the 985 discovery and voucher exchange as well as for the status exchange 986 information. 988 In particular, even if the registrar delegates part or all of its RA 989 role during certificate enrollment to a separate system, it still 990 must be made sure that the registrar takes part in the decision on 991 accepting or declining a request to join the domain, as required in 992 [RFC8995], Section 5.3. As this pertains also to obtaining a valid 993 domain-specific certificate, it must be made sure that a pledge 994 cannot circumvent the registrar in the decision whether it is granted 995 an LDevID certificate by the CA. There are various ways how to 996 fulfill this, including: 998 * implicit consent 1000 * the registrar signals its consent to the RA out-of-band before or 1001 during the enrollment phase, for instance by entering the pledge 1002 identity in a database. 1004 * the registrar provides its consent using an extra message that is 1005 transferred on the same channel as the enrollment messages, 1006 possibly in a TLS tunnel. 1008 * the registrar explicitly states its consent by signing, in 1009 addition to the pledge, the authenticated self-contained 1010 certificate enrollment request message. 1012 Note: If EST was used, the registrar could give implicit consent on a 1013 certification request by forwarding the request to a PKI entity using 1014 a connection authenticated with a certificate containing an id-kp- 1015 cmcRA extension. 1017 When CMP is used, the security considerations laid out in the LCMPP 1018 [RFC9483] apply. 1020 Note that CMP messages are not encrypted. This may give 1021 eavesdroppers insight on which devices are bootstrapped in the 1022 domain, and this in turn might also be used to selectively block the 1023 enrollment of certain devices. To prevent this, the underlying 1024 message transport channel can be encrypted, for instance by employing 1025 TLS. On the link between the pledge and the registrar this is easily 1026 achieved by reusing the existing TLS channel between them. 1028 8. Acknowledgments 1030 We thank Eliot Lear for his contributions as a co-author at an 1031 earlier draft stage. 1033 We thank Brian E. Carpenter, Michael Richardson, and Giorgio 1034 Romanenghi for their input and discussion on use cases and call 1035 flows. 1037 Moreover, we thank Toerless Eckert, Barry Leiba, Michael Richardson, 1038 Rajeev Ranjan, and Rufus Buschart for their reviews with suggestions 1039 for improvements. Btw: I have started for my latest drafts to put the role under which review was done into parenthesis, helps others to checkmark what type of reviews have been done, e.g.: Barry Leiba (SECdir review). Haven't finished any RFC with that approach yet, so maybe someone will find a process reason to remove such parenthesis again, but just wanted to give the suggestion (ignore if you like). 1041 9. References 1042 9.1. Normative References 1044 [IEEE_802.1AR-2018] 1045 IEEE, "IEEE Standard for Local and Metropolitan Area 1046 Networks - Secure Device Identity", IEEE 802.1AR-2018, 1047 DOI 10.1109/IEEESTD.2018.8423794, August 2018, 1048 <https://ieeexplore.ieee.org/document/8423794>. 1050 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1051 Requirement Levels", BCP 14, RFC 2119, 1052 DOI 10.17487/RFC2119, March 1997, 1053 <https://www.rfc-editor.org/rfc/rfc2119>. 1055 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 1056 "Internet X.509 Public Key Infrastructure Certificate 1057 Management Protocol (CMP)", RFC 4210, 1058 DOI 10.17487/RFC4210, September 2005, 1059 <https://www.rfc-editor.org/rfc/rfc4210>. 1061 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1062 Housley, R., and W. Polk, "Internet X.509 Public Key 1063 Infrastructure Certificate and Certificate Revocation List 1064 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 1065 <https://www.rfc-editor.org/rfc/rfc5280>. 1067 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1068 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1069 May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. 1071 [RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., 1072 and K. Watsen, "Bootstrapping Remote Secure Key 1073 Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, 1074 May 2021, <https://www.rfc-editor.org/rfc/rfc8995>. 1076 [RFC9480] Brockhaus, H., von Oheimb, D., and J. Gray, "Certificate 1077 Management Protocol (CMP) Updates", RFC 9480, 1078 DOI 10.17487/RFC9480, November 2023, 1079 <https://www.rfc-editor.org/rfc/rfc9480>. 1081 [RFC9483] Brockhaus, H., von Oheimb, D., and S. Fries, "Lightweight 1082 Certificate Management Protocol (CMP) Profile", RFC 9483, 1083 DOI 10.17487/RFC9483, November 2023, 1084 <https://www.rfc-editor.org/rfc/rfc9483>. 1086 9.2. Informative References 1088 [BRSKI-AE-overview] 1089 S. Fries and D. von Oheimb, "BRSKI-AE Protocol Overview", 1090 March 2023, 1091 <https://datatracker.ietf.org/meeting/116/materials/ 1092 slides-116-anima-update-on-brski-ae-alternative- 1093 enrollment-protocols-in-brski-00>. Graphics on slide 4 of 1094 the BRSKI-AE draft 04 status update at IETF 116. 1096 [I-D.eckert-anima-brski-discovery] 1097 Eckert, T. T., von Oheimb, D., and E. Dijk, "Discovery for 1098 BRSKI variations", Work in Progress, Internet-Draft, 1099 draft-eckert-anima-brski-discovery-01, 23 October 2023, 1100 <https://datatracker.ietf.org/doc/html/draft-eckert-anima- 1101 brski-discovery-01>. 1103 [I-D.ietf-ace-cmpv2-coap-transport] 1104 Sahni, M. and S. Tripathi, "Constrained Application 1105 Protocol (CoAP) Transfer for the Certificate Management 1106 Protocol", Work in Progress, Internet-Draft, draft-ietf- 1107 ace-cmpv2-coap-transport-10, 15 May 2023, 1108 <https://datatracker.ietf.org/doc/html/draft-ietf-ace- 1109 cmpv2-coap-transport-10>. 1111 [I-D.ietf-anima-constrained-voucher] 1112 Richardson, M., Van der Stok, P., Kampanakis, P., and E. 1113 Dijk, "Constrained Bootstrapping Remote Secure Key 1114 Infrastructure (BRSKI)", Work in Progress, Internet-Draft, 1115 draft-ietf-anima-constrained-voucher-22, 21 November 2023, 1116 <https://datatracker.ietf.org/doc/html/draft-ietf-anima- 1117 constrained-voucher-22>. 1119 [IEC-62351-9] 1120 International Electrotechnical Commission, "IEC 62351 - 1121 Power systems management and associated information 1122 exchange - Data and communications security - Part 9: 1123 Cyber security key management for power system equipment", 1124 IEC 62351-9, May 2017. 1126 [ISO-IEC-15118-2] 1127 International Standardization Organization / International 1128 Electrotechnical Commission, "ISO/IEC 15118-2 Road 1129 vehicles - Vehicle-to-Grid Communication Interface - Part 1130 2: Network and application protocol requirements", ISO/ 1131 IEC 15118-2, April 2014. 1133 [NERC-CIP-005-5] 1134 North American Reliability Council, "Cyber Security - 1135 Electronic Security Perimeter", CIP 005-5, December 2013. 1137 [OCPP] Open Charge Alliance, "Open Charge Point Protocol 2.0.1 1138 (Draft)", December 2019. 1140 [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification 1141 Request Syntax Specification Version 1.7", RFC 2986, 1142 DOI 10.17487/RFC2986, November 2000, 1143 <https://www.rfc-editor.org/rfc/rfc2986>. 1145 [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure 1146 Certificate Request Message Format (CRMF)", RFC 4211, 1147 DOI 10.17487/RFC4211, September 2005, 1148 <https://www.rfc-editor.org/rfc/rfc4211>. 1150 [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS 1151 (CMC)", RFC 5272, DOI 10.17487/RFC5272, June 2008, 1152 <https://www.rfc-editor.org/rfc/rfc5272>. 1154 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1155 RFC 5652, DOI 10.17487/RFC5652, September 2009, 1156 <https://www.rfc-editor.org/rfc/rfc5652>. 1158 [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings 1159 for TLS", RFC 5929, DOI 10.17487/RFC5929, July 2010, 1160 <https://www.rfc-editor.org/rfc/rfc5929>. 1162 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 1163 "Enrollment over Secure Transport", RFC 7030, 1164 DOI 10.17487/RFC7030, October 2013, 1165 <https://www.rfc-editor.org/rfc/rfc7030>. 1167 [RFC8894] Gutmann, P., "Simple Certificate Enrolment Protocol", 1168 RFC 8894, DOI 10.17487/RFC8894, September 2020, 1169 <https://www.rfc-editor.org/rfc/rfc8894>. 1171 [RFC8994] Eckert, T., Ed., Behringer, M., Ed., and S. Bjarnason, "An 1172 Autonomic Control Plane (ACP)", RFC 8994, 1173 DOI 10.17487/RFC8994, May 2021, 1174 <https://www.rfc-editor.org/rfc/rfc8994>. 1176 [RFC9148] van der Stok, P., Kampanakis, P., Richardson, M., and S. 1177 Raza, "EST-coaps: Enrollment over Secure Transport with 1178 the Secure Constrained Application Protocol", RFC 9148, 1179 DOI 10.17487/RFC9148, April 2022, 1180 <https://www.rfc-editor.org/rfc/rfc9148>. 1182 [UNISIG-Subset-137] 1183 UNISIG, "Subset-137; ERTMS/ETCS On-line Key Management 1184 FFFIS; V1.0.0", December 2015, 1185 <https://www.era.europa.eu/sites/default/files/filesystem/ 1186 ertms/ccs_tsi_annex_a_-_mandatory_specifications/ 1187 set_of_specifications_3_etcs_b3_r2_gsm-r_b1/index083_- 1188 _subset-137_v100.pdf>. 1189 http://www.kmc-subset137.eu/index.php/download/ 1191 Appendix A. Application Examples 1193 This informative annex provides some detail to the application 1194 examples listed in Section 1.2. 1196 A.1. Rolling Stock 1198 Rolling stock or railroad cars contain a variety of sensors, 1199 actuators, and controllers, which communicate within the railroad car 1200 but also exchange information between railroad cars forming a train, 1201 with track-side equipment, and/or possibly with backend systems. 1202 These devices are typically unaware of backend system connectivity. 1203 Enrolling certificates may be done during maintenance cycles of the 1204 railroad car, but can already be prepared during operation. Such 1205 asynchronous enrollment will include generating certification 1206 requests, which are collected and later forwarded for processing 1207 whenever the railroad car gets connectivity with the backend PKI of 1208 the operator. The authorization of the certification request is then 1209 done based on the operator's asset/inventory information in the 1210 backend. 1212 UNISIG has included a CMP profile for enrollment of TLS client and 1213 server X.509 certificates of on-board and track-side components in 1214 the Subset-137 specifying the ETRAM/ETCS online key management for 1215 train control systems [UNISIG-Subset-137]. 1217 A.2. Building Automation 1219 In building automation scenarios, a detached building or the basement 1220 of a building may be equipped with sensors, actuators, and 1221 controllers that are connected with each other in a local network but 1222 with only limited or no connectivity to a central building management 1223 system. This problem may occur during installation time but also 1224 during operation. In such a situation a service technician collects 1225 the necessary data and transfers it between the local network and the 1226 central building management system, e.g., using a laptop or a mobile 1227 phone. This data may comprise parameters and settings required in 1228 the operational phase of the sensors/actuators, like a component 1229 certificate issued by the operator to authenticate against other 1230 components and services. 1232 The collected data may be provided by a domain registrar already 1233 existing in the local network. In this case connectivity to the 1234 backend PKI may be facilitated by the service technician's laptop. 1235 Alternatively, the data can also be collected from the pledges 1236 directly and provided to a domain registrar deployed in a different 1237 network as preparation for the operational phase. In this case, 1238 connectivity to the domain registrar may also be facilitated by the 1239 service technician's laptop. 1241 A.3. Substation Automation 1243 In electrical substation automation scenarios, a control center 1244 typically hosts PKI services to issue certificates for Intelligent 1245 Electronic Devices operated in a substation. Communication between 1246 the substation and control center is performed through a 1247 proxy/gateway/DMZ, which terminates protocol flows. Note that 1248 [NERC-CIP-005-5] requires inspection of protocols at the boundary of 1249 a security perimeter (the substation in this case). In addition, 1250 security management in substation automation assumes central support 1251 of several enrollment protocols in order to support the various 1252 capabilities of IEDs from different vendors. The IEC standard 1253 IEC62351-9 [IEC-62351-9] specifies for the infrastructure side 1254 mandatory support of two enrollment protocols: SCEP [RFC8894] and EST 1255 [RFC7030], while an Intelligent Electronic Device may support only 1256 one of them. 1258 A.4. Electric Vehicle Charging Infrastructure 1260 For electric vehicle charging infrastructure, protocols have been 1261 defined for the interaction between the electric vehicle and the 1262 charging point (e.g., ISO 15118-2 [ISO-IEC-15118-2]) as well as 1263 between the charging point and the charging point operator (e.g. 1264 OCPP [OCPP]). Depending on the authentication model, unilateral or 1265 mutual authentication is required. In both cases the charging point 1266 uses an X.509 certificate to authenticate itself in TLS channels 1267 between the electric vehicle and the charging point. The management 1268 of this certificate depends, among others, on the selected backend 1269 connectivity protocol. In the case of OCPP, this protocol is meant 1270 to be the only communication protocol between the charging point and 1271 the backend, carrying all information to control the charging 1272 operations and maintain the charging point itself. This means that 1273 the certificate management needs to be handled in-band of OCPP. This 1274 requires the ability to encapsulate the certificate management 1275 messages in a transport-independent way. Authenticated self- 1276 containment will support this by allowing the transport without a 1277 separate enrollment protocol, binding the messages to the identity of 1278 the communicating endpoints. 1280 A.5. Infrastructure Isolation Policy 1282 This refers to any case in which network infrastructure is normally 1283 isolated from the Internet as a matter of policy, most likely for 1284 security reasons. In such a case, limited access to external PKI 1285 services will be allowed in carefully controlled short periods of 1286 time, for example when a batch of new devices is deployed, and 1287 forbidden or prevented at other times. 1289 A.6. Sites with Insufficient Level of Operational Security 1291 The RA performing (at least part of) the authorization of a 1292 certification request is a critical PKI component and therefore 1293 requires higher operational security than components utilizing the 1294 issued certificates for their security features. CAs may also demand 1295 higher security in the registration procedures from RAs, which domain 1296 registrars with co-located RAs may not be able to fulfill. 1297 Especially the CA/Browser forum currently increases the security 1298 requirements in the certificate issuance procedures for publicly 1299 trusted certificates, i.e., those placed in trust stores of browsers, 1300 which may be used to connect with devices in the domain. In case the 1301 on-site components of the target domain cannot be operated securely 1302 enough for the needs of an RA, this service should be transferred to 1303 an off-site backend component that has a sufficient level of 1304 security. 1306 Appendix B. History of Changes TBD RFC Editor: please delete 1308 List of reviewers: 1310 * Toerless Eckert (document shepherd) 1312 * Barry Leiba (SECDIR) 1314 * Michael Richardson 1316 * Rajeev Ranjan, Siemens 1318 * Rufus Buschart, Siemens 1320 * YANGDOCTORS Early review of 2021-08-15 1321 (https://datatracker.ietf.org/doc/review-ietf-anima-brski-async- 1322 enroll-03-yangdoctors-early-rahman-2021-08-15/) referred to the 1323 PRM aspect of draft-ietf-anima-brski-async-enroll-03 1324 (https://datatracker.ietf.org/doc/draft-ietf-anima-brski-async- 1325 enroll/03/). This has been carved out of the draft to a different 1326 one and thus is no more applicable here. 1328 IETF draft ae-07 -> ae-08: 1330 * Update references to service names in Section 5.1 1332 IETF draft ae-06 -> ae-07: 1334 * Update subsections on discovery according to discussion in the 1335 design team 1337 * In Section 5.1, replace 'mandatory' by 'REQUIRED' regarding 1338 adherence to LCMPP, 1339 in response to SECDIR Last Call Review of ae-06 by Barry Leiba 1341 IETF draft ae-05 -> ae-06: 1343 * Extend section on discovery according to discussion in the design 1344 team 1346 * Make explicit that MASA voucher status telemetry is as in BRSKI 1348 * Add note that on delegation, RA may need info on pledge 1349 authorization 1351 IETF draft ae-04 -> ae-05: 1353 * Remove entries from the terminology section that should be clear 1354 from BRSKI 1356 * Tweak use of the terms IDevID and LDevID and replace PKI RA/CA by 1357 RA/CA 1359 * Add the abbreviation 'LCMPP' for Lightweight CMP Profile to the 1360 terminology section 1362 * State clearly in Section 5.1 that LCMPP is mandatory when using 1363 CMP 1365 * Change URL of BRSKI-AE-overview graphics to slide on IETF 116 1366 meeting material 1368 IETF draft ae-03 -> ae-04: 1370 * In response to SECDIR Early Review of ae-03 by Barry Leiba, 1372 - replace 'end-to-end security' by the more clear 'end-to-end 1373 authentication' 1375 - restrict the meaning of the abbreviation 'AE' to 'Alternative 1376 Enrollment' 1378 - replace 'MAY' by 'may' in requirement on delegated registrar 1379 actions 1381 - re-phrase requirement on certificate request exchange, avoiding 1382 MANDATORY 1384 - mention that further protocol names need be put in Well-Known 1385 URIs registry 1387 - explain consequence of using non-standard endpoints, not 1388 following SHOULD 1390 - remove requirement that 'caPubs' field in CMP responses SHOULD 1391 NOT be used 1393 - add paragraph in security considerations on additional use of 1394 TLS for CMP 1396 * In response to further internal reviews and suggestions for 1397 generalization, 1399 - significantly cut down the introduction because the original 1400 motivations and most explanations are no more needed and would 1401 just make it lengthy to read 1403 - sort out asynchronous vs. offline transfer, offsite vs. backend 1404 components 1406 - improve description of CSRs and proof of possession vs. proof 1407 of origin 1409 - clarify that the channel between pledge and registrar is not 1410 restricted to TLS, but in connection with constrained BRSKI may 1411 also be DTLS. Also move the references to Constrained BRSKI 1412 and CoAPS to better contexts. 1414 - clarify that the registrar must not be circumvented in the 1415 decision to grant and LDevID, and give hints and 1416 recommendations how to make sure this 1418 - clarify that the cert enrollment phase may involve additional 1419 messages and that BRSKI-AE replaces [RFC8995], Section 5.9 1420 (except Section 5.9.4) 1422 - the certificate enrollment protocol needs to support transport 1423 over (D)TLS only as far as its messages are transported between 1424 pledge and registrar. 1426 - the certificate enrollment protocol chosen between pledge and 1427 registrar needs to be used also for the upstream enrollment 1428 exchange with the PKI only if end-to-end authentication shall 1429 be achieved across the registrar to the PKI. 1431 - add that with CMP, further trust anchors SHOULD be transported 1432 via caPubs 1434 - remove the former Appendix A: "Using EST for Certificate 1435 Enrollment", moving relevant points to the list of scenarios in 1436 Section 1.1: "Supported Scenarios", 1438 - streamline the item on EST in Section 3.2: "Solution Options 1439 for Proof of Identity", 1441 - various minor editorial improvements like making the wording 1442 more consistent 1444 IETF draft ae-02 -> ae-03: 1446 * In response to review by Toerless Eckert, 1448 - many editorial improvements and clarifications as suggested, 1449 such as the comparison to plain BRSKI, the description of 1450 offline vs. synchronous message transfer and enrollment, and 1451 better differentiation of RA flavors. 1453 - clarify that for transporting certificate enrollment messages 1454 between pledge and registrar, the TLS channel established 1455 between these two (via the join proxy) is used and the 1456 enrollment protocol MUST support this. 1458 - clarify that the enrollment protocol chosen between pledge and 1459 registrar MUST also be used for the upstream enrollment 1460 exchange with the PKI. 1462 - extend the description and requirements on how during the 1463 certificate enrollment phase the registrar MAY handle requests 1464 by the pledge itself and otherwise MUST forward them to the PKI 1465 and forward responses to the pledge. 1467 * Change "The registrar MAY offer different enrollment protocols" to 1468 "The registrar MUST support at least one certificate enrollment 1469 protocol ..." 1471 * In response to review by Michael Richardson, 1473 - slightly improve the structuring of the Message Exchange 1474 Section 4.2 and add some detail on the request/response 1475 exchanges for the enrollment phase 1477 - merge the 'Enhancements to the Addressing Scheme' Section 4.3 1478 with the subsequent one: 'Domain Registrar Support of 1479 Alternative Enrollment Protocols' 1481 - add reference to SZTP (RFC 8572) 1483 - extend venue information 1485 - convert output of ASCII-art figures to SVG format 1487 - various small other text improvements as suggested/provided 1489 * Remove the tentative informative instantiation to EST-fullCMC 1491 * Move Eliot Lear from co-author to contributor, add him to the 1492 acknowledgments 1494 * Add explanations for terms such as 'target domain' and 'caPubs' 1496 * Fix minor editorial issues and update some external references 1498 IETF draft ae-01 -> ae-02: 1500 * Architecture: clarify registrar role including RA/LRA/enrollment 1501 proxy 1503 * CMP: add reference to CoAP Transport for CMPV2 and Constrained 1504 BRSKI 1506 * Include venue information 1508 From IETF draft 05 -> IETF draft ae-01: 1510 * Renamed the repo and files from anima-brski-async-enroll to anima- 1511 brski-ae 1513 * Added graphics for abstract protocol overview as suggested by 1514 Toerless Eckert 1516 * Balanced (sub-)sections and their headers 1518 * Added details on CMP instance, now called BRSKI-CMP 1519 From IETF draft 04 -> IETF draft 05: 1521 * David von Oheimb became the editor. 1523 * Streamline wording, consolidate terminology, improve grammar, etc. 1525 * Shift the emphasis towards supporting alternative enrollment 1526 protocols. 1528 * Update the title accordingly - preliminary change to be approved. 1530 * Move comments on EST and detailed application examples to 1531 informative annex. 1533 * Move the remaining text of section 3 as two new sub-sections of 1534 section 1. 1536 From IETF draft 03 -> IETF draft 04: 1538 * Moved UC2-related parts defining the pledge in responder mode to a 1539 separate document. This required changes and adaptations in 1540 several sections. Main changes concerned the removal of the 1541 subsection for UC2 as well as the removal of the YANG model 1542 related text as it is not applicable in UC1. 1544 * Updated references to the Lightweight CMP Profile (LCMPP). 1546 * Added David von Oheimb as co-author. 1548 From IETF draft 02 -> IETF draft 03: 1550 * Housekeeping, deleted open issue regarding YANG voucher-request in 1551 UC2 as voucher-request was enhanced with additional leaf. 1553 * Included open issues in YANG model in UC2 regarding assertion 1554 value agent-proximity and CSR encapsulation using SZTP sub 1555 module). 1557 From IETF draft 01 -> IETF draft 02: 1559 * Defined call flow and objects for interactions in UC2. Object 1560 format based on draft for JOSE signed voucher artifacts and 1561 aligned the remaining objects with this approach in UC2 . 1563 * Terminology change: issue #2 pledge-agent -> registrar-agent to 1564 better underline agent relation. 1566 * Terminology change: issue #3 PULL/PUSH -> pledge-initiator-mode 1567 and pledge-responder-mode to better address the pledge operation. 1569 * Communication approach between pledge and registrar-agent changed 1570 by removing TLS-PSK (former section TLS establishment) and 1571 associated references to other drafts in favor of relying on 1572 higher layer exchange of signed data objects. These data objects 1573 are included also in the pledge-voucher-request and lead to an 1574 extension of the YANG module for the voucher-request (issue #12). 1576 * Details on trust relationship between registrar-agent and 1577 registrar (issue #4, #5, #9) included in UC2. 1579 * Recommendation regarding short-lived certificates for registrar- 1580 agent authentication towards registrar (issue #7) in the security 1581 considerations. 1583 * Introduction of reference to agent signing certificate using SKID 1584 in agent signed data (issue #11). 1586 * Enhanced objects in exchanges between pledge and registrar-agent 1587 to allow the registrar to verify agent-proximity to the pledge 1588 (issue #1) in UC2. 1590 * Details on trust relationship between registrar-agent and pledge 1591 (issue #5) included in UC2. 1593 * Split of use case 2 call flow into sub sections in UC2. 1595 From IETF draft 00 -> IETF draft 01: 1597 * Update of scope in Section 1.1 to include in which the pledge acts 1598 as a server. This is one main motivation for use case 2. 1600 * Rework of use case 2 to consider the transport between the pledge 1601 and the pledge-agent. Addressed is the TLS channel establishment 1602 between the pledge-agent and the pledge as well as the endpoint 1603 definition on the pledge. 1605 * First description of exchanged object types (needs more work) 1607 * Clarification in discovery options for enrollment endpoints at the 1608 domain registrar based on well-known endpoints in Section 4.3 do 1609 not result in additional /.well-known URIs. Update of the 1610 illustrative example. Note that the change to /brski for the 1611 voucher-related endpoints has been taken over in the BRSKI main 1612 document. 1614 * Updated references. 1616 * Included Thomas Werner as additional author for the document. 1618 From individual version 03 -> IETF draft 00: 1620 * Inclusion of discovery options of enrollment endpoints at the 1621 domain registrar based on well-known endpoints in Section 4.3 as 1622 replacement of section 5.1.3 in the individual draft. This is 1623 intended to support both use cases in the document. An 1624 illustrative example is provided. 1626 * Missing details provided for the description and call flow in 1627 pledge-agent use case UC2, e.g. to accommodate distribution of CA 1628 certificates. 1630 * Updated CMP example in Section 5 to use Lightweight CMP instead of 1631 CMP, as the draft already provides the necessary /.well-known 1632 endpoints. 1634 * Requirements discussion moved to separate section in Section 3. 1635 Shortened description of proof-of-identity binding and mapping to 1636 existing protocols. 1638 * Removal of copied call flows for voucher exchange and registrar 1639 discovery flow from [RFC8995] in Section 4 to avoid doubling or 1640 text or inconsistencies. 1642 * Reworked abstract and introduction to be more crisp regarding the 1643 targeted solution. Several structural changes in the document to 1644 have a better distinction between requirements, use case 1645 description, and solution description as separate sections. 1646 History moved to appendix. 1648 From individual version 02 -> 03: 1650 * Update of terminology from self-contained to authenticated self- 1651 contained object to be consistent in the wording and to underline 1652 the protection of the object with an existing credential. Note 1653 that the naming of this object may be discussed. An alternative 1654 name may be attestation object. 1656 * Simplification of the architecture approach for the initial use 1657 case having an offsite PKI. 1659 * Introduction of a new use case utilizing authenticated self- 1660 contain objects to onboard a pledge using a commissioning tool 1661 containing a pledge-agent. This requires additional changes in 1662 the BRSKI call flow sequence and led to changes in the 1663 introduction, the application example,and also in the related 1664 BRSKI-AE call flow. 1666 * Update of provided examples of the addressing approach used in 1667 BRSKI to allow for support of multiple enrollment protocols in 1668 Section 4.3. 1670 From individual version 01 -> 02: 1672 * Update of introduction text to clearly relate to the usage of 1673 IDevID and LDevID. 1675 * Definition of the addressing approach used in BRSKI to allow for 1676 support of multiple enrollment protocols in Section 4.3. This 1677 section also contains a first discussion of an optional discovery 1678 mechanism to address situations in which the registrar supports 1679 more than one enrollment approach. Discovery should avoid that 1680 the pledge performs a trial and error of enrollment protocols. 1682 * Update of description of architecture elements and changes to 1683 BRSKI in Section 4.1. 1685 * Enhanced consideration of existing enrollment protocols in the 1686 context of mapping the requirements to existing solutions in 1687 Section 3 and in Section 5. 1689 From individual version 00 -> 01: 1691 * Update of examples, specifically for building automation as well 1692 as two new application use cases in Appendix A. 1694 * Deletion of asynchronous interaction with MASA to not complicate 1695 the use case. Note that the voucher exchange can already be 1696 handled in an asynchronous manner and is therefore not considered 1697 further. This resulted in removal of the alternative path the 1698 MASA in Figure 1 and the associated description in Section 4.1. 1700 * Enhancement of description of architecture elements and changes to 1701 BRSKI in Section 4.1. 1703 * Consideration of existing enrollment protocols in the context of 1704 mapping the requirements to existing solutions in Section 3. 1706 * New section starting Section 5 with the mapping to existing 1707 enrollment protocols by collecting boundary conditions. 1709 Contributors 1711 Eliot Lear 1712 Cisco Systems 1713 Richtistrasse 7 1714 CH-8304 Wallisellen 1715 Switzerland 1716 Phone: +41 44 878 9200 1717 Email: lear@cisco.com 1719 Authors' Addresses 1721 David von Oheimb (editor) 1722 Siemens AG 1723 Otto-Hahn-Ring 6 1724 81739 Munich 1725 Germany 1726 Email: david.von.oheimb@siemens.com 1727 URI: https://www.siemens.com/ 1729 Steffen Fries 1730 Siemens AG 1731 Otto-Hahn-Ring 6 1732 81739 Munich 1733 Germany 1734 Email: steffen.fries@siemens.com 1735 URI: https://www.siemens.com/ 1737 Hendrik Brockhaus 1738 Siemens AG 1739 Otto-Hahn-Ring 6 1740 81739 Munich 1741 Germany 1742 Email: hendrik.brockhaus@siemens.com 1743 URI: https://www.siemens.com/
- [Anima] I-D Action: draft-ietf-anima-brski-ae-09.… internet-drafts
- [Anima] List of changes - Re: I-D Action: draft-i… David von Oheimb
- [Anima] draft-ietf-anim-brski-ae-08 review (was: … Toerless Eckert