IETF Logo Mail Archive

[Anima] Re: I-D Action: draft-ietf-anima-rfc8366bis-12.txt

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 09 July 2024 10:07 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12BC3C1D5308 for <anima@ietfa.amsl.com>; Tue, 9 Jul 2024 03:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzPAU0ZAycOE for <anima@ietfa.amsl.com>; Tue, 9 Jul 2024 03:07:04 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2125.outbound.protection.outlook.com [40.107.247.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE756C1D52FC for <anima@ietf.org>; Tue, 9 Jul 2024 03:07:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Osn8MybVdG9PHS7Tl98/706XQW06LxpB0IATwn5pk0UKRi5hdFrFUhJ0OlAMPOTkmxBzIH3WbgAO3omP+79Iyf7+sYPgqx3ocvYSPrguDambj5Vd0JwCJCwo5ezzpB264Fo82STVjVRf7HtPozPMBRvH26bB9OvDKvd52BSKHwNMMcPbz3yC6z7aJtkONVL/Vx8f2ACgtbydCNQe/dT7x4dNw15IwvqEx1BWuVhjcZJBzKDevEFXdovVWGqRS7egNAjE+XU1SSF6LJ5dQxt2dc2fb5Mp0TW+s7/b6nojbyb/2+M8ymnm0dY9pkInPeHpUw9pav2zf49M8WvgpzFfrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BhGdj7Bru1xVlJLXJfGfeZHwZOwYcnQr8DxWCrPwP9Q=; b=nIWqHUPSovfrGLxDvR5CdZP+1nJ2GoLnAGH2rgf4QPtpmjXSj7iCb8hjvSvtpPtoYZhqHU7XmZ+Nss7i0MUoRAInGDqXFAFAacP8favUh5xQYNhAxbm3318ttaCyuL9YRTnakA0havB4btYmBSVsvD5VEL1D/lBhRexuPuWXTMJ2KIwplT2TP6QduPBQXonuo+bVUV2IN74SReljn0swZVJIy6jmHxAPhzTzhZYjlIMBE6plCnMIufvcK1wwVGZr7MKtCfL4DbFXpXw4QbIhySxmac33vFLycmDV1vEwE1nBUPTXF5FsuRYA8Y1T32i9RJhgr7Kn/qVwrB0955cKIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BhGdj7Bru1xVlJLXJfGfeZHwZOwYcnQr8DxWCrPwP9Q=; b=Dv6bI9hs4PrdDtrHNgZwYl/NsEvvKzj11emFwIehofEKItH0hbhdwK7WPsmxSJrdzm1LawCmTSdZOEbirZfhF7heclYnFP3qpy8S6i9cE+C5D6anZBGd43EF++MKoASVk8maQL68CueOxmZaLo61hXfJDsJ3BDQM8dTU5sOGzb0=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by VE1P190MB0976.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:1af::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Tue, 9 Jul 2024 10:06:51 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6%6]) with mapi id 15.20.7741.033; Tue, 9 Jul 2024 10:06:51 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Re: I-D Action: draft-ietf-anima-rfc8366bis-12.txt
Thread-Index: AQHa0YaEyGnM7Pmp50mTTjtlZk3DubHuKw8w
Date: Tue, 09 Jul 2024 10:06:51 +0000
Message-ID: <DU0P190MB1978B664AF7BB944E4C6F656FDDB2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <172047704310.461285.3728066842265531644@dt-datatracker-5f88556585-j5r2h> <9578.1720477785@obiwan.sandelman.ca>
In-Reply-To: <9578.1720477785@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|VE1P190MB0976:EE_
x-ms-office365-filtering-correlation-id: a9738fc1-eb3a-4154-8470-08dc9ffeda4a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: /eeo7Yqfu0TszY/Yuh2AB9+AD6kecnUORVvBydXC86C21aM2zZ0Io0dQhx9XFOawoE4/MfPWuoYkedvZ1FZnMpjlnrcly2b1CDYzmebPa16MBJJrQSh6D4qB4a58Ya0LS7NwNNyTgFd8Xghq49m6N1tj0zipzOlAIForLERuGThYztDwI2e5jNqkKtULlz3XqO+hgsZ1ZZmzMgODR8gKTiFLQmedzNWxnRtqOs/k27Nkx4Re/HUcjLydge2r6zdcMCrzFE6JkKBO5ywgtdQ0N+8Njius34y93v1Jxfp50zR3POynfC1wxYeu8hcHLr7BSO7DoxA/kIca9R72vX5ooD/Qff6nTlWS6qXtKG/BdV9OYR8HOGX8z5wkbQ3rxONfUCzpuqoDOsK/R0pOwQ7CuzY9Vo7VJjMSWrXaZEE0jKpoQgJF1FbjoRD+Tts/TizcV5RFk4CykGgtvoZhXlZbzOHemxkRYPLo9gULj6xQop0lpWj9UE5rx2Q6ZfS4p3Tym53jgsFoaMi/37HErdveLsqDDyo58k9F2Ej8q1QwYLTgt/B9xOOLFY+rKSCToBRkpOqIaC4zLI5WpIQwv5YzahatDRKN+tEvXUCpduygEpkfje4NziXjUOWqGYiMmPxJTVcRYp0Yo2yMG0WhTlXhgoqxVy+yXlwafEVTyUUnxHMvXu52wcY7+gxaoDO2aAVHJa+xt6X4rFqCaup0bFCkP9V04rOZDpVS8U1Ciow0erUafz7zu93Jqiim8vfQD+1BgRpbjseWLIVMEAN2BN6GswDSrIqOkyctv+IO1TKiFkql5lZIa0joSmi0dtfP8Gvvre8AJ1XlgTMSXkpYJ7ARud2+qHOTlNjRFi9STQ//hR47CffX8DhiGlEA+8qo1cjYs3PwLXbPyXLsFQAdRSs4pzoAeOzDH+XBpTTQodf1AhXIfqiGzp4B9afvl25a4lkEX6EEhZzVAkHA3hx1/ncfvs4e1Q9CxqyZgGVR27/hvTxbcF6iwpFWQ6Qn8qLQumsLY08Jx37ZevIzGJozCLvE3NG4F9c+pBNoYjED9FFBqM9cU2bvJ9vijkxeZBfaQ1avaiyXaBD3LO6vXD0PHJT8KRLaUGtPDETCgtpVR0G5+5e/rt4b0EDlBQXE0BDuInwjQV84DywcSJnqiQ+PuO9101VC1kFupB9unYRRqF2EMc0VeanDMaVU9er/2aY8dT08onvnIca58XlfpzdqdpDUdzBTvEcoVc2OCcCX0qiCZa/oHbX0DqG0XgS7Lx3tJL0tP/GUFZ9cnFZuK2fjnw9GOxAPD7Qx0n2mMeBTpDYg8AFwJg8QTYz0OFZCkfLA+yl8g4aBCYEEVuRoTXex6/Vb3/WmDp1Dk1+BGiBw8OArRzY=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mLQU16dhSVboINO9KfauNPZRLKznBDSGT5vMepdmx3Cl+upyL+sjxCoFuA7qhKWrtof8MumeXHCk2OMFvAuxGgvM20bhk7u5hCEsrWNPxg6TyFKFTtotyxYh+0sRkIl4lnaEKuIyrzemK0yJKQU3K7uJcFoxLKEap0z6CELzngW+DBTFQWqA8CuJGkHt5yJUj2+n4Z97ewusUvopv8faUyw06XYLs3MypsW0NolIse7xiRtwDWsKrYHBtkVQj4SNLW2iI0yYhNnuQ7DxCF1MWdVjAw8RqC2nrCiI4hACky9dfTD7ZP0riQIZRpQ2hQuP6adtl/vpZesMP9wOIVV+lMC5YvQTxQZpzYyk13VRTpyceM4hYlBGI2N7OFFqpvfntWb8QS+jGaGVgEh4Y08eiwpBita0vj7oRP5WvHMpLZIE+bSFbbrPvpqbnqkGisftzCaGsP/Dgc2kXNed0jtMLCxeAMC4IIb1w4JOERpzZig+DV/JzlQsJIxC7CHShho3jKTNLEeZPmjNy7r7McjxDd5XUxQAh5zYITGo/hxdIcTFVkJqxdDfhOneaWNO8QVCUBU94r/ou2yy0CN4/AZkSQzwNrZTAcxP+Hgedfir/sWWMpqfdDlPurhzXInz27tyUb8NP4QFI92etrErmg1IoegXcr/+ZYkVCQSUPzkDX+W/+1sQIPquNvl4Arj5SQJfnp/UJrI1+HdMkQLkKByG0jeY/3p/Zle4uHS78y1AWPdE1Pd2Ow7IiK4POrrZmqu8q+8MznbZ6WV2I0/HSPjDQq1cuOroT04PzO2ObjZf/klwAxhgy122+8JZPyHIny7YkO9DwbIeTdA27BguMUm/rppARXqDKUYu6JAXRrBpuKW7ic7bEsryFhCajEK+JNB5i7ojiufyfzAJYKAc1nphaACX/+Yyev3oOdzHgEPN+dhrELxodYkSkn5RCG5IvUXf5Q4h5+mioIi22FiXeybqOa1vXhf+FIHZJNrhBs3F4zk6NKtfEPNMsW0nGdaSsk1P0EovLFESKLFgHLDEs9dwKw+qj2ElmNMFcbqg3+GC3uQvJVSGgFFEAbqDnIYUf7B4aIpPKIBIImDC6zBMm70Qz2Nx2DZK+ObvMIgx7DJs9an/0BCVDyABRXIBGysMh3nsen/25OTVmsa50v/9Nv09gZnQD+qcjdTrhPDFvAd0PMO6RQbutNNBsSCb7YcByZEO6s2wuU4xkKInBuJVrzfkg7VRvKmwqixfIx0L5Gxf8q/KUddgAxEW/cCjkvWjNJtWoY11tXG/ir63SYTAIdGbKHIPUGTl8OQSMKLOQnH9M/szQMXor8S725Xaa0GdnSZ/X54nQVp5CQjR/PbhYB86aaEcDuP7qCzKPulY115qzliNJkJp2oTOLpeiByZYWeU0rc4ziBsZLRUmJ1IWydmuxKFxbGzjhEWSJLzbKNX5QiodGbpff7pdCr0USRCbfP3w1EnDMQv8GNzHq5AbMFd09flSdPa8cOYFu+t91zLfFjTTxIsGHXRDOKErL7Wf2YHbGPF4mSVt1K63JWTRmL2FOpVy2LLPTtzpSobIhXcUe/3AZCgGZPOYXXLwTuUwyEfN
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a9738fc1-eb3a-4154-8470-08dc9ffeda4a
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2024 10:06:51.2072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 79btxmk1qusPvDem7lE/UjwpAHZUfDTaVkrelgBCUAE6dIZyC+RW8SlJ6MYprvYs6SBI91SLrmhw/ipEuwVOBiLqVLYlY4UZc15YyxKFSng=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1P190MB0976
Message-ID-Hash: 25YKQDJQGBM362Q6S4ZZZ4IEC66YYXFN
X-Message-ID-Hash: 25YKQDJQGBM362Q6S4ZZZ4IEC66YYXFN
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: I-D Action: draft-ietf-anima-rfc8366bis-12.txt
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/S7zUTinr58yt_wFwi_42ITNBuvU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

Hi,

About certificates, keys, examples: the scripts and material used in cBRSKI may be useful as a reference - just in case of doubt. See:
https://github.com/anima-wg/constrained-voucher/tree/master/examples/script-cose-examples
https://github.com/anima-wg/constrained-voucher/tree/master/examples/cose-examples

> two possible formats for private keys, the PKCS8 one and the PKCS1 one.  Are there
> preferences?

Maybe the simplest format? (shortest)

> Do people want them all expanded?

We could start with not all expanded, and reviews would show if there's a need for it.

Esko

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Tuesday, July 9, 2024 00:30
To: anima@ietf.org
Subject: [Anima] Re: I-D Action: draft-ietf-anima-rfc8366bis-12.txt


I have finally returned to the ~23 issues that have been open for ~1 year.
I only got three issues closed today, but I'll continue working up to the meeting.
So please expect a more complete -13 on July 20th.

internet-drafts@ietf.org wrote:
> Authors: Kent Watsen

I'm considering resorting the author names to be alphabetical.

    > Abstract:

    > This document defines a strategy to securely assign a pledge to an
    > owner using an artifact signed, directly or indirectly, by the
    > pledge's manufacturer.  This artifact is known as a "voucher".

This probably deserves a rewrite, but it will get done last.

    > A diff from the previous version is available at:
    > https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-rfc8366bis-12

I have added Appendix A with CMS examples.
The JWS and COSE examples are in the [jBRSKI] and [cBRSKI] documents.

https://www.ietf.org/archive/id/draft-ietf-anima-rfc8366bis-12.html#name-key-pairs-associated-with-e
In the appendix, there is some space taken up with the private keys and
certificates.   I have to double check that I've got all the right files, as
the IDevID private key says "RSA", but is an EC key.  There are two possible
formats for private keys, the PKCS8 one and the PKCS1 one.  Are there
preferences?

Perhaps a picture of the relationship of all the files/keys is in order.
I included one key, the CA self-signed certificate expanded.
("openssl x509 -in foo -text" vs "openssl x509 -in foo " )
Do people want them all expanded?

I also notice that the certificates have expired, and I'll go back to my
reference code and update things.  I have asked Kent for a worked example of
an SZTP key.  I have a CMS signed key from Thomas Werner @ Siemens which I
can include as well.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.40.3 | Report a Bug | By Email | System Status