[Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning

"Fries, Steffen" <steffen.fries@siemens.com> Wed, 06 March 2024 15:41 UTC

From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: RFC 8995, Voucher Signing, MASA Certificate Chain provisioning
Thread-Index: Adpv3K+TPoDqaeexTk+xGPLlI930Rg==
Date: Wed, 06 Mar 2024 15:41:05 +0000
Message-ID: <DB9PR10MB6354C2A6F6C4D5B3E0CA5C8CF3212@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=a555394d-cc01-4a75-ade6-a0bd9b848907; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-03-06T15:14:11Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB6354:EE_|AM0PR10MB3460:EE_
x-ms-office365-filtering-correlation-id: 54436869-c9ce-44e6-8e3f-08dc3df3d5eb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KIk2YX1Qk1JaDaTNe6lUAmFR7I0XWOP/AbOos4WPoACh7RXEN/5scSXNHOX/+f/3zCFliuBhKBWoTBBaR+Y785CFEt07MaceOLvIqxDsFgl7oojLgjVR7HhJyoy44lXh9+INd4Gda0aUMMx6Ig410ptCjHbiVw5354A7M/2QSFCQz+W/hhHtptHEPcRcx5cEqXQDK88r+bI92PaDrsr4KmETGav7IZHdX2EqRTKzzCbIB98UZ+hQ2hTLHWyBdEbdtIfIj+3LxwW7jVJtnKzpNxjzgD8MeJTqkUlkNp5Xm7UECJd17D7GMhb68Jhq4/1wfKTri962SKBc8umpnPbe6ATiLDF0UOR0fK2VTNHWLZHn0AbmKCJKmaO3YOFCxWaPoB1qrGHFcAYNfuBAEmNpUtN7NfUGAEUpeVgaW+XAWimNpBLxz6Zniei8ccfMKOJchT4xTkZzDLYM+6No0TGzW/FSu9cyuPZA/h02e8czHaSFg1q0F/P6Db6ZyKyQnPnRk7DaRgJg2p3Ohyds6GDCzBrx8el9LTrvPVAUHtBkITnGUhu9uYmn965DcJiL0HfP3E16tAXTWm6P9bMfUu3KDOBlv/ieK1p3tIZAKOHn+bwWFn7WA2iMA0NhXoZUYYaZFfThWVlTpacGdr0HZNSVPJDY/2bEUeFEXbqzoveHCkc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Fd1NaFTPVY7LTvOCEhtP27/ytEaOb6qWHpXpLlvndubuEF0Cvr2xK23sDCljEq5vSs5DWz3Bpl1c0IHXsrTgQGVVkhnX5NCoITZrNiNEMFc+kqRICN6MqNcZNJshtsl7U/0NLA9ebfCtlA9RM6651XqIcrItB/OI7f+D54YYD4HO7SctH0MZ8/Y5Z1wLauXNAVg8VE1PunBFzfDfT/8OCBtRqjGsR931U/v1FXyu7n5TIQmlgbs92BX3TZ0ca+2jd4/VCjOW05wFt1RvTagJbo4CT6Y6m5UhoeCwbres0n9CES2eoGNQnUzqpD9dwBuW44ND1Jpyzl3sdFP2YkqA+U1NiDrNrH0K/KXsHXQKe2SsFuguTENj0UJJkke/+N7TK5x6CIXPXPXO1R2pBRjghLY7Z5WMr/SyibH1cCwxEMG3cBOdMjboQY7zNZLPMXimKx6mWFG+Qf+/inDAVXauFuXH7Ds/cRH96PHmh2c5SWkSBfDWVQ+0hUZbdFAtaerjyYEEHt4OD1621hX5YXZxfbsQNXatFqu5eDc52UANTIRuF2bedncnEV/imZlXciHeA92QFQXMhAh3usBZ8sR9IqnbEFRg6WkJ29UxgDy1CpvknKsQv3L7pAzNzxkeFxKpAtKOdnE9WDLhheUL3GfaOmRlJNRbgh73Q/OxpZYPaaHwYWnp2Bvth/+HnDW+RLCA0xU80fah1f4TTThO8F0j/17x+R1UO3fJIGTC9Z2AkvrFsSMJ0fz/odbRDRghIi0ezdrxF5bNDpQP3wpyOW42RbZY/tXwD9llXcaYRsECDpSLrLNo22p80CHW++qJxz9CkSlB4+QDeoXFw21FsoVx4nX6JjGLNSTMC4QL8RknY//tUTkKSqKOi0cNAth2Xf05ZGuMs7G01/iht1+U9UR+Hi2v3XGrrV8FR4fS9anRmSIUSrs+8P/OD9pW7WC9ELm+pUrnrBWXZ7If8/MftZIGOZq3h9gwOA6xA4NUSHQlOQSMUXnxrgKNl7P4UaJDFLqr4N4g5wnJ4kIc/1x2V4tB+2NCNHor1Yj/gvBFTz95E0CoPgt4ahSQhebflMSL+k1acZPQ9t9hhLCuD392pjnX7WfQ5ZSMAzz9ootc76nktipWC5SQUl9idvtb8c1BbV9ZJLfaZbHk/ZMbjCfBjiykKRozff42Aee2Twb340G0J3GJWBnVNCdCtSGgDlNyc4PucZVCB9LyMWLTygY/4ye11Kta6SmEaZXrxKQKAvBYpWh77JGKwpI48SrSuzgrj/f5mon/TUqRr22A43by4RvxkKdHyTaXFEPr96FSvYqseLAXyi8DOz3qBYiP0Yk5IrHZWG5KbhOqldg05akB4SM14zVGkpdAAsauDBDvEOjvxnYfvTji+f8JbmLGk6xpoOipOCaKXbZwjMqCgsC/O3+1pLqLmqYY4rE6QqQ2rmqQUwnu169MSXzFNjABlguTzDW5ysKfbioObuaYtbXQC6opWvdTagoQoqrbbYVeOMQQuM9crfe3HIsg71VISsomZJYQCZSeFK/r4VR7vh4C7pE1gHoOQiA9eRMGluM50ieiOeYfIxq0i72SH2B76WGfaSJvowbhQn2saEc2W6zmdSW/dA==
Content-Type: multipart/alternative; boundary="_000_DB9PR10MB6354C2A6F6C4D5B3E0CA5C8CF3212DB9PR10MB6354EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 54436869-c9ce-44e6-8e3f-08dc3df3d5eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2024 15:41:05.5071 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yufoJbYGFUs1d1iygCgkgkGKOkrCu1Z6PfwO6ejn5+1p4PQvE87FI/Y9nwNlQujygoc7SDctEFlqnNOk6L0kDrfdW66nROVZUpFhCg24Pu0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB3460
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/UD9GgVl29biebtJ8vu5irMgYJgg>
Subject: [Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 15:41:12 -0000

Hi Michael,

I've got a question regarding the MASA voucher signing or better the certificate chain provisioning for the MASA certificate to the pledge.

RFC 8995 states in section 91.1. (https://www.rfc-editor.org/rfc/rfc8995.html#section-9.1.1)
"The online service MUST have access to a private key with which to sign voucher artifacts [RFC8366<https://www.rfc-editor.org/rfc/rfc8995.html#RFC8366>]. The public key, certificate, or certificate chain MUST be built into the device as part of the firmware."

I had the assumption that the pledge only knows its IDevID and with that his own certificate, public/private key pair and the certificate chain from the issuing CA to the trust anchor.
In operational environments the issuing CA for the IDevID may not be the same as the issuing CA for the MASA signing certificate. From the requirement above, it would mean to provide the MASA certificate chain also in the pledge firmware, if it is different than the IDevID issuing CA. As the voucher is a CMS container that allows to convey the certificate chain of the signer in the SignedData, I would have expected it is contained there. This would be similar to the voucher request, in which the registrar-voucher-request also contains the certificate chain according to section 5.5.2 (https://www.rfc-editor.org/rfc/rfc8995.html#section-5.5.2), which states:
"A certificate chain is extracted from the registrar's signed CMS container. "

I would propose to also allow the submission of the certificate chain of the MASA signing certificate in the SignedData part of the CMS container of the voucher.
Any thoughts?

Best regards
Steffen
--
Steffen Fries

[Anima] RFC 8995, Voucher Signing, MASA Certifica… Fries, Steffen
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Esko Dijk
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Esko Dijk
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Fries, Steffen
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Michael Richardson
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… William Atwood
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Michael Richardson
Re: [Anima] RFC 8995, Voucher Signing, MASA Certi… Fries, Steffen