[Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 14 January 2025 22:53 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB1AC18DB9D for <anima@ietfa.amsl.com>; Tue, 14 Jan 2025 14:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeYr0uTCl31R for <anima@ietfa.amsl.com>; Tue, 14 Jan 2025 14:53:21 -0800 (PST)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com (mail-vi1eur03on2092.outbound.protection.outlook.com [40.107.103.92]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5198C180B53 for <anima@ietf.org>; Tue, 14 Jan 2025 14:53:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KWoopZsKtDWBaAtbMbpbCsbH5rk4kk58Xtzh0ITLwew95rJYNxeuNIxmVrKIoVEI+KncByO2ok4aLL+2XcTJ/QPC8sMlae7Ty/nbBdGy8qb3vZx4WlAjHlJkWzUsXrOjGZ3GV2vao+u2F3XNeQpivHtphAiUdonC4aJE0wY9wSSaOdyFmzxzuOuPcCY4G6BEijeyAhGd6UEvlS1PIJGp98hcu2ZJVeth30pa4QJgCBNyg+vxin+PNNoQ77p9G0EDRcAP9TXezwM4Q2RrwZkcsLTzZYjGRs3QkkcSDko+u7sK33bY7Ipwpf5SH62EExc+xmfuyfJ1aVJ5pf5gsq5pGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TASuHKzW7b4Jfw7d6yrgJn3oJ+KmScyCz+3KJA8Gnzw=; b=rywgUzm33Y1vR0gjFXTBH7Yz7K4+56cbH6pLYoCES3OW0pPe/wEgkCDVpYIZ0a3AekOooip/74pJgd5Sals2I9Hv5B17Xob0CBFJwZE6ACbDTx3txs/GjO2EezjH7YahvWTRjMnV94twnk0jipRxEW1hTfyE1cg3m1G9xW4uzx2jz+ljPRz0Y/CBUaR3PeEFqGg5sZlSjI7sG9ejQZbnvJIPDKYfZrqKidc068FghrDrZ3MF93RtBm3qnpMBPpSdRXjCWij/ojXAGQ6r/zXWiLtpLv5r8QEQAg7CglNV5m9Q4Nywonp8Ks6uS4/CUpcSulS7JRE9QlqHp2RSEZtBDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TASuHKzW7b4Jfw7d6yrgJn3oJ+KmScyCz+3KJA8Gnzw=; b=c8SrAZ5su4zlC5pOCeB7rA1iShNL5CQsQhSECB6yqlBjuLQh1f1v81DMkMqjuLr4/XL0B8iTBJw1nvIMN3atFdmsfucm9I8h46fEUFAnmUcBJiFhBd7pEF/9aQmN8bOKvKV1EY7l1g8yRSUyXNM2q/nBvt+GrMXPJUhqXxRHq2U=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by GV1P190MB2226.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:20e::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Tue, 14 Jan 2025 22:53:15 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6%4]) with mapi id 15.20.8335.017; Tue, 14 Jan 2025 22:53:15 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>, "Werner, Thomas" <thomas-werner@siemens.com>, "Fries, Steffen" <steffen.fries@siemens.com>
Thread-Topic: [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
Thread-Index: Adtmp8DGaGc33rQTQaSJ4oCTIvlRkgAFzH4AAAWoN4A=
Date: Tue, 14 Jan 2025 22:53:15 +0000
Message-ID: <DU0P190MB197838F0171066F9C3CEB801FD182@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DU0P190MB197881C7B003306108D9AE43FD182@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <10111.1736884824@obiwan.sandelman.ca>
In-Reply-To: <10111.1736884824@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|GV1P190MB2226:EE_
x-ms-office365-filtering-correlation-id: 04f7efea-c159-4c23-9690-08dd34ee3b40
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003|38070700018|7055299006;
x-microsoft-antispam-message-info: j8xPWPPG3KcGyKLcTyf7F+KpYw9aZPT+9ynSLM02vv3L9sYACH7ltWGqHnTRXlMyp3wjjhqZC+SFCJjCEQ6E28nAxCmSRKgy0g9T04mMNEV/DK5e5ngZoBJS/m+3HPOR3Mwi260gvTmWvxY3wNtM3c+ab8O8lrmPBWKjGRGlBhpDz3LrAGO999ykdt3Bm5G4y8wsF6/5TrcSfFCSLRugpmwz/M2EA865kxSTminEsXpjhueMHqtaPB9WKBxPLbuqc9w9XTX69tpBD4UqcDLfkL0FiodIEJkVNPu6l8RNF3grBwE0mtwug+KwCVbo069s0dlRGvdI+qU63AJ91mURgn35OzL5eAPfa8CzOH2iRGJaqlvIcqcH/Egi4FpqXRQ3X8gnURoS4uv5qyyqnhnDw0bqk7Q1oJfiO7OwJMV8seTW0QcNVTgDmJyxfF7eQtHmzZu6HpHzWce7uO8m/o+f9hkVp7O8/VCvDn9vLQVkCpKla3ZRZ+NZW609gJGglWyP8g568Yp7+gqUrKwCPC6itdYfA29hEjtneSSgF5hxLUyRj1j5P4RPbEwm/ZGskpmj4JSxwKlNJBYtvXTjIn7Ax/45uqDE6g6/ICh8v6LR0epuGgQ1MtvxVwPJ58n6hiqUFDm66F0J8UEJvV9V8SW2XwBQ09a6GL+QP6Zwpct24OWVCLXQW2a/34EGdJL+4JaixYwayP/dQQ/5rW9HBe1IsiH31KnSX0iS90PLeX3Tg6vbFWWH7B7wA23KATo3lsOHHzmcGT+sPmmSaQyj5C7sthQeypNQ74Z4uAKNNxt/+u49+48slLiDuaUA/bWH4ckT00IqUbMuAe6vMNWYqv48Qvq1sG5uMDaUwlME4Wvoe2y0XB6AUTNSPTbDZCeTJv/G/kG/GgjTJ0YTLgmtcgmWEsgAg/OLsLuFwhFHeLrUgKDxj40KapeRvjaFfXd9699wR5Y3mEi/30JZ7VYNEewNKabtowipGgeNGs0JLH2CRIXh2wz87FLMrzBNsoXi+lh07Kr899zTRgo/eQI7OJX12b5m53XRr4IsRiPmnQTpcWY+C7XCpH1LE5FiAbu2KnldquAbwm6Y0QlbHfjVQf4EMF3kIQOp9NGktW4iqcJ33es6kV0TYA1xfHgsL3/SFbHUMGmC2p6PrwPN2Z8eGuaIW4EmAxvTIAe8JYt3VTngCv5k2lJrmltHQjky9/ofrYC+P1oaIdQuPp8n+icSIWgJDC+MmB1gaL7dail/TMkoQAytw0xNItQ81tPTRFFyPaNIMdHbrTOJWCA2djW4V7zweHTX/5VpAa12m272u3K2AccpLh1CF5coZwdWWNKMLcou4G9H7N2Tx7OzRJofuiV1w/AoFIDq1L3A6wMWbZe0snwzgYV84TSMHultozJDHm9kD4CIDRyxswB8vWCZwlLH+egz5TE5EoJQBYeGwuYFkG/H6YK/vSe0xBoECLvmwj77pR94+tvhV6LaztNeAmTZew==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003)(38070700018)(7055299006);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BBat3OfjMPP0aIkHRZFoxUTHHcN5AYTmkbt1Ruvb1Yxi+TkoibnOnGUQxqsYlh+O6ds4AVERRqaKnvwIO8nWbXUfGiKyrZwY1hBOFXBDo89eE5W+pKSvvRcmBdSdZVorXJ3LaFCWr8IYWXGCWsalr/6cm7JiMrzl+9e6AAwPgYay3l3qeZK5ETB+ntOM965cBgKkWXwXv1+lJ4qCRJUc+hHT2/46Yi5YVpF9WjAQWyV9sBwfMPjuWvXWrRGsog1bXc6X/A2PSbPTh51nTkINW4oS792JRmnn8cku2H8EAZEW/YmnhtUi06sCUd4xJ/xSnz2M1R5j8nfVMBcnCWG0IO08vao22BOZj7jT4vbEgwW9Eabms7PbaMEiD2UyS/lXNm8u9Dr9WgE4Tx0U1Wug2AJ0Mu7jsXX9pmwykFV1bRtE0UEjt/7NJCRjDc6LSZ5mUdai6v4UMZTTxHSjzZQmWIul9BzNg50A7tfwT6EAyFa4x2AQ3TPm24renEvSHKr90ALSMIHizyrJkuC2qAEkMqloEPnV/GlQ2oigca4Mx7SyHXQVG0ORXXLiUOPMcF0tQMd4tz87bpBzjy5BizEdxA6MFdJZUve0P5riBG4WagOimBHtiwjPiyiJcCEeo42SSLJISud7NqaLdBqLUvD5uJEA8iLOdYP0bzeE5r1N02GItZvl1WMoPNxOqh3fVhyPV+/JnZkIzAS2eQjtzuaw04UE2YrooSQCzslzimG2BvAQfkGGW6gP9r9eKDARo8zHAmisSSxVQtEBe9tOyTzZ4uYeHV8H1rWhVrOepxtl4N0ws/PITdUx74agh28yHl0vpx8AA4jvA2MKL8qoUsoDL5YUbwvXHi4hspiYj7OgSD23WFl/w7NHqrxXnjha8nfl5d0A3T877sPvcjl/78VoO18rpdFQdkZ9HWHd41C3P+jKqorsUEWupc1MIkTqy33fQTTvf4HleGVdZ0S2psfFAaeP60VEy831uroqBpvAVIM+OHVwiiu7t0TxPacO9oRfI/t/vH69f66dB0zh/vSBaLYNnA6RRxE/wglakIUAc7+LfIMJX+ClzJZds/WWaV/e9Ziz8RY54Q5cPS/oqQLttK30htHGIIdJ9rWjfiRYwNav1RQ3x86+RpQVZTSKLISmxULMpdUE/nmejC2AKYMTM2uaOkB7E/PQf3THwvZBaaYvtmty6S3ADjjw4WViUc0aCETF7OKg7EF1ooKto1Rflvmeyzm+B8qVKii2/zazicVA9DKJ1E8/xwSQnwFhXhcRKWKgB92AY3Xvy4T1VfzXsIG8KAofYV8CwgldrWo3aEvUsh52csK0fZk0Oy0cbIq0EBNW7pw8yo57rNdWD0dkeQyI9wz+tDNQYhwSYA6pyCyNlgJ4Vf4eyBlAGU0WWnWMctE0kTSnikyFDUGgYOJQ9YKI+9/M4zEwVvbT5FRpwvWOT1ZoQqOAfxSSLt+qrX49pU10+DAqQuL+HfDF6PWcJCFuIR7c9QwkJNKAwgDMGsG6fdPSA5LBT5iJAfMSHD8+fDvpuMpHgDy/vKhpvZUuZZDWj1UMEAqzXwT+P6p347zpS0CpyhqPUQPyqnV6eBbTrb/XdY9PxwRJQzTptH0Kxkm9PBp5hoAIj6yKLn5YRumcdUcd7fYQVGwjXJ0TYowKBggoO+46Bm5TNWbl4LEABg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 04f7efea-c159-4c23-9690-08dd34ee3b40
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2025 22:53:15.7178 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vscS4OSRDg8uWLpAt7Llpj157Zt4bNoHGWxmCCswV+C2TNxkqPTJ+6vaTufv5W11StZLqZOYVWY+xCNaQa3PqzJuy7KmfkKL8qIMmMpNQGc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P190MB2226
Message-ID-Hash: KUUJZ3YN76K4FTZWC6DYB77ANEVFK3VQ
X-Message-ID-Hash: KUUJZ3YN76K4FTZWC6DYB77ANEVFK3VQ
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/T2o88rCvFb045pA6Hp1svLYGqSc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

> The *Registrar*, however, might not have them all.

In cBRSKI the Registrar does get them all from the DTLS handshake. But agree that for PRM this doesn't work in the same way.
I didn't read PRM recently - does the Agent add a signed object stating the IDevID cert chain that it has seen from the Pledge...?

If not: then either the cert chain needs to be in the signed PVR, or we need extra requirements on the Registrar to get these chains beforehand which may not always be practical.

We have some discussion (to be continued) whether the Registrar can be expected to be preloaded with all CAs in the chains, or a subset of only the highest sub-CAs, or only the root CA ?
The more the Registrar already knows, the less the Pledge has to send in its PVR, given that the MASA would know all its own CAs for sure.

Esko

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: dinsdag 14 januari 2025 21:00
To: Esko Dijk <esko.dijk@iotconsultancy.nl>; anima@ietf.org; Werner, Thomas <thomas-werner@siemens.com>; Fries, Steffen <steffen.fries@siemens.com>
Subject: Re: [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR


Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
    > Now the target recipient of the PVR is the MASA. (Again for PRM this
    > may be different and include Registrar as well...? But not in BRSKI I
    > think.)  So the requirement on the Pledge is it SHOULD include in the
    > PVR all the certificates needed for the MASA to build the complete
    > chain.

Since the manufacturer created the IDevID for the pledge, I would think it
(the MASA) has all the required subordinate certificates.
The *Registrar*, however, might not have them all.
It's a tussle.

    > The MASA is this solution needs to store all the cert-chains for all
    > the Pledges it supports – including their IDevID EE certificates -- an
    > extra burden on MASA, compared with BRSKI, but one which helps us
    > achieve the smaller size of PVR.  So cBRSKI changes the “SHOULD”
    > requirement from 8995 to a SHOULD NOT in Section 9.2.2.

I don't think it's a burden :-)

    >     A registrar accepts or declines a request to join the domain, based
    > on the authenticated identity presented

    > It doesn’t say where the IDevID identity should come from – PVR or the
    > (D)TLS handshake supplied certificates. Having only one source should
    > be fine ... ?

Yes.
I prefer getting it from the PVR.
That's much easier in a PRM situation.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide