Re: [Anima] [Iot-onboarding] OPC and BRSKI

Michael Richardson <> Wed, 07 August 2019 21:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9CB8A120059; Wed, 7 Aug 2019 14:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NHPgbhFczVXN; Wed, 7 Aug 2019 14:07:56 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C17112003F; Wed, 7 Aug 2019 14:07:56 -0700 (PDT)
Received: from (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by (Postfix) with ESMTP id C73A83818D; Wed, 7 Aug 2019 17:07:17 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id BBB31479; Wed, 7 Aug 2019 17:07:54 -0400 (EDT)
From: Michael Richardson <>
To: "" <>, "" <>
In-Reply-To: <>
References: <> <> <> <> <> <> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 07 Aug 2019 17:07:54 -0400
Message-ID: <32095.1565212074@localhost>
Archived-At: <>
Subject: Re: [Anima] [Iot-onboarding] OPC and BRSKI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Aug 2019 21:07:59 -0000

Randy Armstrong (OPC) <> wrote:
    > It would be easy to drop in a OPC UA aware registrar and implement all
    > of the BRKSI flows back to the MASA. The only nuisance factor is the
    > 'prior-signed-voucher-request'. If MASA's are willing allow this field
    > to be omitted and to trust the Registrar then nothing more needs to
    > done. If MASA's need this field then we could get it from the Device
    > via OPC UA but producing the CMS message adds an additional burden on
    > low end devices (i.e. the need to pull in libraries that provide the
    > same functionality as OPC UA but do it in different format).

Please spend some time reading RFC8366 and RFC8572 (SZTP).
prior-signed-voucher-request is how BRSKI establishes proximity over a local
TLS connection, and you seem to want to avoid that technology.

That's not the only kind of *voucher request*, and RFC8366 allows vouchers to
have other kinds of assertions.  It sounds like you would be very happy
with supply-chain integration of vouchers, and the RFC8572 use of "verified"
vouchers would fit well.  In order to support resale, some mechanism of
updating the trust anchors would have to be profiled.

RFC8572 uses CMS signed JSON for vouchers, and for some configuration
assertions, and while RESTCONF is an option, it's not the only option.

I have downloaded the OPC documents, and I'll skim them tomorrow.

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-