[Anima] some minor questions about ACP -23

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 10 March 2020 12:20 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFE13A11DA for <anima@ietfa.amsl.com>; Tue, 10 Mar 2020 05:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1aH2mOfulwL for <anima@ietfa.amsl.com>; Tue, 10 Mar 2020 05:20:21 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 443883A11D6 for <anima@ietf.org>; Tue, 10 Mar 2020 05:20:21 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 39E5B3818F for <anima@ietf.org>; Tue, 10 Mar 2020 08:19:07 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EDA23825 for <anima@ietf.org>; Tue, 10 Mar 2020 08:20:18 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 10 Mar 2020 08:20:18 -0400
Message-ID: <20307.1583842818@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/RK2Zs7SMINkq28n6Zx007FhjmaU>
Subject: [Anima] some minor questions about ACP -23
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 12:20:26 -0000

section 6.1.5 says:

   When BRSKI (see
   [I-D.ietf-anima-bootstrapping-keyinfra]) is used, the IPv6 locator of
   the BRSKI registrar from the BRSKI TLS connection SHOULD be
   remembered and used for the next renewal via EST if that registrar
   also announces itself as an EST server via GRASP (see next section)
   on its ACP address.

The BRSKI TLS connection is proxied through a join proxy.
The pledge (new node) never knows what the IPv6 locator of the BRSKI registrar is.
I suggest removing this paragraph, the node should listen for the EST GRASP
announcement.


6.1.5.3 mandates use of CRLs rather than OCSP.
I'm okay with that, but I wanted to make sure the WG understood.
OCSP might require a node to be on the ACP before it could get get on the
ACP.  CRLs could be cached for extended periods of time.

We might consider adding a CRL retrieval step to BRSKI, after the cacerts are
retrieved.


--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-