Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)

"Fries, Steffen" <> Thu, 27 August 2020 12:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D37733A07E5 for <>; Thu, 27 Aug 2020 05:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OYB2fWeXmYVD for <>; Thu, 27 Aug 2020 05:56:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 69C133A07CE for <>; Thu, 27 Aug 2020 05:56:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id D53384681AD; Thu, 27 Aug 2020 14:56:38 +0200 (CEST)
Received: from ( []) by (Postfix) with ESMTPS id 80CEF15617AB1; Thu, 27 Aug 2020 14:56:35 +0200 (CEST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Thu, 27 Aug 2020 14:56:35 +0200
Received: from ([]) by ([]) with mapi id 15.01.2044.004; Thu, 27 Aug 2020 14:56:35 +0200
From: "Fries, Steffen" <>
To: Michael Richardson <>, "" <>
Thread-Topic: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)
Thread-Index: AdZmfbkJ/iBKc9n1QAWzDvrnlpnz3///+0AAgAeRb4D//879sIACHpmA//7t5iCAFspqgP//3RWAAXKuHAD//zLWwA==
Date: Thu, 27 Aug 2020 12:56:35 +0000
Message-ID: <>
References: <> <> <12431.1596541563@dooku> <> <11029.1596647559@localhost> <> <6058.1597841627@localhost> <> <11109.1598470952@localhost>
In-Reply-To: <11109.1598470952@localhost>
Accept-Language: en-US, de-DE
Content-Language: en-US
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-08-27T12:56:34Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=4f01ec2b-52b6-4aa0-9d17-09c56726102c; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
x-originating-ip: []
x-tm-snts-smtp: 11A33D7F90D8DE3862DDF8012EC1256D1193D5E370B5CE1330BC42F0982AA0AB2000:8
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Aug 2020 12:56:42 -0000

> -----Original Message-----
> From: Michael Richardson <>
> Sent: Mittwoch, 26. August 2020 21:43
> Fries, Steffen <> wrote:
>     >> Can you explain to me why the discovery via /.well-known/brski is
>     >> useful?  This is on the *REGISTRAR*.
>     > The intention was to let the pledge or the pledge-agent know in advance
>     > what enrollment options are available at the registrar side allowing
>     > the pledge to fail fast if it does not have a matching enrollment
>     > protocol.
> I understand this need, but it seems that we are making the pledge more
> complex in order to keep the registrar simpler.  That makes no sense to me:
> the pledge should be minimal, while the registrar can remain complex.
Maybe I phrased it wrong. The intention is not to make the pledge more complex. The goal should be to keep the pledge simple and enhance the registrar to handle also other situations like unavailability of certain connections. The registrar should be the more capable component. The discovery was intended in situations, in which the registrar supports multipole options, but not all may be mandatory supported. In this case the discovery would help. Otherwise the pledge may do trial and error.

>     >> In reading BRSKI-AE, I seem to be missing any place where the PUSH
>     >> mechanism is described.  In a PUSH use case, what protocol would the
>     >> pledge expose to the pledge-agent and/or commissioner?
>     > This is currently left outside in terms of the protocol. The intention
>     > was to only specify the necessary (signature wrapped) data objects to
> I'd really like to have the PUSH part in scope.
> I thought that it was just not done yet, but it seems to me that without the
> PUSH part, that the protocol isn't async at all.  It is just BRSKI-CMP.
Async was meant that connectivity to certain components is not available at the time of the onboarding. For use case 1 it would be the issuing PKI and in use case 2 the registrar. To handle this signature wrapped objects were introduced. One way of addressing this during enrollment is using protocols supporting signature wrapped objects like CMP or EST with fullcmc as outlined. The goal is to be protocol agnostic. This was also a reason for the discovery option. 
Regarding PUSH. As outlined in BRSKI-AE section 5.2.4 the pledge would be queried by the pledge-agent for certain objects. It was intended to have it in the current document. The current description assumes that it would be sufficient to define just the signature wrapped objects to be exchanged between the pledge-agent and the pledge and not the transport of these objects to be open regarding the underlying media. This would allow to use the functionality of the domain registrar via the pledge-agent, even of the pledge utilizes a different network stack. But maybe this is to far fetched and it is easier to concentrate on the currently assumed pledge capabilities (in BRSKI) to do HTTP as a starting point. I think that this needs further discussion. Do you have a concrete use case in mind, which should be addressed?

Best regards

> --
> Michael Richardson <>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-