IETF Logo Mail Archive

Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 20 February 2018 20:27 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74237126CD8 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2018 12:27:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6on9-o37-gs for <anima@ietfa.amsl.com>; Tue, 20 Feb 2018 12:26:58 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87BD21243F6 for <anima@ietf.org>; Tue, 20 Feb 2018 12:26:58 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id E838520091 for <anima@ietf.org>; Tue, 20 Feb 2018 15:34:16 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4DB7580C86 for <anima@ietf.org>; Tue, 20 Feb 2018 15:26:57 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <89C98637-ACD2-423A-A8C4-52191C35FA53@cisco.com>
References: <20180214010910.GA27823@faui40p.informatik.uni-erlangen.de> <11878.1518662730@obiwan.sandelman.ca> <89C98637-ACD2-423A-A8C4-52191C35FA53@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 20 Feb 2018 15:26:57 -0500
Message-ID: <19137.1519158417@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/SMKP2Jht19S_E4r7RlXM36AdluI>
Subject: Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2018 20:27:00 -0000

Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
    >>> b)  Key infrastructure
    >> 
    >>> There  is no definition/reference for this term.  Please describe on
    >>> first use and in terminology.  Is there a difference
    >>> between "key infrastructure" and  "keying material" ? If not, then
    >>> maybe remove one term otherwise pls. describe difference.
    >> 
    >> The term is in the title and in section 1.
    >> And you are right that it does not appear again, nor is it defined.
    >> I think it generally refers to the mechanism of PKI, but I'm not sure what to do.

    > An “infrastructure” is the basic entities and protocols necessary for
    > the operations of key management. I think it comes from the common
    > language term and can’t find a normative definition within IETF
    > document. As a native english speaker who has used the concept in IETF
    > interactions for eons it feels silly to try and define it. Odd.

The words "keying material" is used in the "Other Bootstrapping Approaches"
only.  In that paragraph, it refers to some "other" stuff... I'm loath to
boil the ocean to define what we aren't doing...

I suggest the insertion of the marked text:

        without external help is also an impossibility. Today it is commonly
        accepted that the initial connections between nodes are insecure, until
        key distribution is complete, or that domain-specific keying material
*new*   (often pre-shared keys, including mechanisms like SIM cards)
        is pre-provisioned on each new device in a costly and non-scalable
        manner. Existing mechanisms are known as non-secured 'Trust on

Now, to the term Key Infrastructure:

            <t hangText="(Public) Key Infrastructure:"> The collection of systems and
            processes that sustain the activities of a public key system.
            In an ANIMA Autonomic system, this includes a Domain
            Certification Authority (CA), (Join) Registrar which acts as an
            <xref target="RFC5280" /> Registrar, as well as appropriate
            certificate revocation list (CRL) distribution points and/or OCSP
            (<xref target="RFC6960" />) servers.</t>

I note that RFC6960 doesn't bother to define Key Infrastructure at all, or
even use the term except in the title...

-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email