[Anima] Re: Question regarding use of assertions in vouchers in RFC8366bis

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 03 September 2024 13:29 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A71AAC1840C5 for <anima@ietfa.amsl.com>; Tue, 3 Sep 2024 06:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkxcW0uqCCUq for <anima@ietfa.amsl.com>; Tue, 3 Sep 2024 06:29:33 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2107.outbound.protection.outlook.com [40.107.104.107]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ACDCC180B7C for <anima@ietf.org>; Tue, 3 Sep 2024 06:29:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oSeI8j7jZz4PNoMCQ82+UJB/jAxMw/slHC6R/7I03q09XA0I2s4gMzFZ7AshRTV/X3vn69udvKSzRPAmkk52ODaTxD1YAIOFG/5/cz20X+pWWnBKiW6eraDxgLEVea7C5w1noFWso2V5GuslOFR0KuqdaLJnYuYhnDrtxA+KLVXPthbrGMWB+KxvFW41Qax5WxI3U5mtmCjJdaVoDwA0K+DfUXIRc/8iGzMUEsqDh7EOkpEY/pPI+UG+i1xcFLOHUo8aV1EQZyFqUiSaooqQW3Rrd9NiBaVY+znBX5Ct9OMy4buAFErddbDMqazhqQNcuU8mUTa+B/mYUoPBWcdpXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qlB/FWjzFOrPdN3M3FHxaAk7SLMcmZDEVYn1A64sKXQ=; b=eLRjJu7Kdy+aLPYsJIwNNmLmmTgHmbGIqxtcCrGXGhqe4ePyO4nSvrsJQySDEk0VKaxa0vMOufBOyM5DWTA1S89Lyyr8p37VmTrnUrfU2JQQIEg0ysLNxo7Td8khjwfYdph8+TDGBGtVGpZHnhgcY1LW3NwgP/sQsrdRRWl8wVlsdwbyn/nNwg+ilfgZ0CtgzKp7QFKj41z5yCP0WJIUPlkNlIVBkdvSa6U+kz/4/uD7riiUR5Qn6f6NjOfUEASdu5rDNMeSYziKrEr2z0kaffggJ+/qYfA0wZ3uKEO03UUQCApLo1IgHcGihdVXH/5PSQ3Wic/c0tvCr8Vh0v8/jA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qlB/FWjzFOrPdN3M3FHxaAk7SLMcmZDEVYn1A64sKXQ=; b=E3RiDrXvrRT9Cqj3hIiskqqcTDTJAIqoGVO3KZV8Nk14Tv1EVI8FV++Wr42FeHcRXWJjgh/PU743nHaY9eVCTzo4KJb/FavoBj3e7fdLeFvzTc+d5JbUS3Qy2mprOonFbuZu15JBy2I6MZydxu8QAQDSW3cO03L1Tt1c0HTVlQI=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by DU0P190MB1707.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:343::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.26; Tue, 3 Sep 2024 13:29:29 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6%6]) with mapi id 15.20.7918.024; Tue, 3 Sep 2024 13:29:29 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "Fries, Steffen" <steffen.fries=40siemens.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima] Re: Question regarding use of assertions in vouchers in RFC8366bis
Thread-Index: Adr6KTZRwGA/t7KtRkiVSv295bqLRwCptvqAAA/QIqAACXofgAAAIxPQADMyahA=
Date: Tue, 03 Sep 2024 13:29:29 +0000
Message-ID: <DU0P190MB197830EBB45A86F171712F36FD932@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DB9PR10MB6354B8FF05E979ED40F70165F3962@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM> <22780.1725237355@obiwan.sandelman.ca> <DB9PR10MB63541732C4FDDBC9329BF252F3922@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM> <29913.1725280803@obiwan.sandelman.ca> <DB9PR10MB6354C77326D9B96D7AFAC207F3922@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB9PR10MB6354C77326D9B96D7AFAC207F3922@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=50a12528-046f-4a79-b81f-be5157267eeb; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-09-02T12:43:58Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|DU0P190MB1707:EE_
x-ms-office365-filtering-correlation-id: 5504c5ed-f6f4-459d-2216-08dccc1c703b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: 5pkSzEnxnPPFF2gt6f36J/YJrmOzmrlbEh/jj8IdiK987WfV7GjuvZ1ASFDZdT0n8EIWtSzw+Q7w7JRzqHgInwEjgjRVpQwOJwY73t/1CMHR45OVDAu50WJTkouHFr66KmASf5pzH8Wj7D7s25gh9vUgBYhtsTgXhRJb6nFa557QoOrveLEhpHejb0pOU+l47OPUdgVHMF3h1zR5UEF57mXvWUYFS5etTXTf07Wy6CNQCv9ziK2kVCdTyx7k2Qc8TnFR9cqf7oW7RG56uDLmSULhww0MlA7ts6M2jrXd0p0JJTB7HFR/+szcGEMsUoud9dp176DwgG/3akB8CjVjXqKkYOWcbF6NpEHeiOcL1KEwz0Jjcp66p4r/yu6alt6WUNFlGZPbQMcnWUq6pnjz5hIPKZlV9qfvE4MozqBFBh8liKvH4Xea4DhooXS842pmzuuRZbUfE4ZGUU2uhq+0KwEZRm8NLVP81cg7wDarTZ+7CDnQ35Djk/f0WuQ9h6gIHNk+FlnRqdkHjMkowGa/keI5EsoYiP/cipY4yYi9BQspH86kfrCaElVNeFB8eFAuAsbIFqBOKxJ1CPWgt+wfEKO7nOiTO9gCFJfc35daPiOvfpOWtWLVusunfo8zk5n5tm8lqNCC0Z0YKvTZR8x/CIos3mxmUu9cHBo9bdpiZ9KfhbjfqDf8cUtIS13iFZqkm7wOz/evjoRveOBPaWwxu+1sxfH17TkMbPAwyqP9/pKxr8AMTtTRq9tVcTxSSEPFx7NUOqXHsRCyuPfhq4VbMRL16w2Qpql5H0l5sQ2vZaGlB1auyyxjjZ/1ArWUlxOKyrL5vz4DLux7o8wOBKM2v+q0A+uzIu/6fwBM1BtLs5UZOp5NIV3fMOD5dZA2gLSJAyTyz/fFKRVi2tOy6goSyDOeddzqCRCmX7Cj5cMs2pQ6QGNjbblQYdoh6gXLOnGrEBkV5QdbFqjNHtxKnQaVxXvQOEfU9BYNw1NyEoB/CxMd5OOE3Vjmu2RqBa1BGPzUu5busWGREPZcHLF3PCn+OJasy6vPUwpGbvLn0WGuYkcnwjamAcwUWzo0CyF00fuflOsIq8+kGXuF6EHZ/rDq2EVGpOzdy1IyI03D1u2pcoygxTKgazk8h04ayPciv3EhLLkOOw3VF/iLQGm1ncqDFVijAqiewkP5fTRfcNNLYM+3G3Gmv6+K8xZH8ZM/JjB5uRR9wcjH1UIjLUwj5ZvLAvVVWy8f+Ndg24tAPOXakz082I8nWEttnGMfTykKWv7/saIe1z2ebwa/BR4cvGgKB+i2fJ0/6WkjyzrPE/99BCW7MG2OU99lArKOsZYpC9O0BMpSMujR3+euICaE8JQME599PlNN9DVIVZMAJvM+xcCUrqArtmdhksfeLpcbmB8uGpHPM2ErkkoAU4XhcK7EUA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: f6WXH3Dt68Ix3ZUxOsj71C748iswiLE5ShwJ2Ixgl9ghj5EwgtQrvxUTRes1vtATiokKR/kqHI0TNLY8zXO2TaBAdFwQzCNQm78SE9SPRiGY//p9pr3jmWr5gr34jtz/XY4kR69UCWyKhX94dnghMTRmU2LfdAdUJcRSeyulmPeXuRxSo962+k+AJVl9oPjRGjVIdqK+7GFLCTYuCkE4Us0kAT0ZBaO1fFWbHCQVo2Ge+O/OD8PO9+djAJCHjZ3l8TxWiup96LWA1a7rdZdVAzjvTCFoCSAxWUt5eO1tgB1miEfDfdtYkM06hcb0Rt2TSXPyX00LggZhtguvdK4/nx/AHqdjhR4FhbqyURHGGKEKhs2nWHASd4dlpeIjAvlFSWwoXfexV8us5KlY9R/nP5L6u9fnZZJq2/UlQ7CWJLojr6+5dc2HY5v/rd6cnRJppqg0zalziApfSEDhPMXFp8rb6l6nVuPST2+hbu3AW7kGRT8V9ZFHZ+GWa4kHFE47rbhBrUe+CwFywONobVv/CbjtehO59GCUv5E1SEI5pqN+vs3YV0o+kmJW+gBhVswzV/A3zWOwM25RECADg4OVN/qSGIBo09tc26GEod1KL9iYTxMKWwfpcg1CHJmasY76lJyiGzT9vwhtWUeckhhABApWjRVV2KaRZ84UghC8TUAQ4JPMPZfCVBbqPzfsbgTixCAvTkoSSFOvSol32TrMZmaVou0fNwv6btRf+UwdUJlgwrVv3p7dm44Q4rCVYE2Qm4oJtM1CgFmhl1Ob32NwrhJe9/YKuy6j8BsSZUHfnSnEfBnh30+vM3A9GsHrL1ap6xpYMvr/G/6zP0QB2V3f1DkYzAxtNKC/qCvIrkHKla8NitgmeABlVej8h4IbxrarfYBEUzqmcw7G5P/KRuOXv7oaupS4NyirrygrXMiOcVHmDxo8CrqgKwbITxexXnm5nllSvvbLWacuy60roRTTS94n5OVTmEs6paoXzC2VrWaT56W4+Fnr8F4u667RrW2rSQMzs46z2/RPpUhbqn8h2m46bvmh+b4h5IkpQn5Bmg0o2kF5sqmRexsCgrXdVybm3K2UjpWqbEvhj42+kYe0PkpMl014INGDULDz3WcfhYRRZlh041/1QsopDCMZGq/I8KfAFHdhoAAhxkIwSA5RHnOvW7YnYQYQCdfAEveDqq6NllMRAXA0o6wfkMPfXEq3rt8Oqg49m3RBl0cqDN/AP+Rb4J/SL4/NE5QAvuXp5aoNPsZ7G5saDoWdliCWet7+3k+AzhmVw6ipVqkVMnpPb/d5kOlesN9aNbfwSxoPaQylwvnnmY2H2fCHmmTwwgO2QIH3J2Gj0wdohmdX122FkollrJtHHMD+BsQUdnWk9Iv9lhGzM2dQsx35qZXB3lEJPSd5KEPh5bevAUzmQdDC7NgToAhOXRs1TPyYP1b8yaIs/L5uXS27Uome3RXOxGcxqkDZL92wiXZsL9TTzGcxTk1xZgHrWDKA4E3SQXSFpx+p/tDJtmP7xQkgwT5LQhhuEfd1GkUgivp0RXX5IshkdnNVMBmxZ8OFFCPOZYqqdRamEIO1weK8BFelnbG2Obz4
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5504c5ed-f6f4-459d-2216-08dccc1c703b
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2024 13:29:29.3517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pyKF8+vjF4Z47NZDam5ivAPJ8iVKR4MMCqu0EjJCv+vNH7LwOOm08bzR8WpSHuZ+nFTYwjKsvDu2HIFcyYEy+hjtGLmsrkjmhixuSZM71sE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P190MB1707
Message-ID-Hash: JUQ35OBUCFZFBJGJYACAFW2VZOG3MG64
X-Message-ID-Hash: JUQ35OBUCFZFBJGJYACAFW2VZOG3MG64
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "anima@ietf.org" <anima@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: Question regarding use of assertions in vouchers in RFC8366bis
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/WtvOn8lAsMPUKBSujF04zKazkWw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

I think RFC 8366 explains the relation between 'logged' and 'proximity' - saying that 'logged' is the weakest of checks that the MASA can do, which is the fallback used if no live proximity can be verified by MASA, but still it wants to issue a voucher.
If proximity can be verified then 'proximity' is used, the stronger (more secure) assertion.  

Details about 'proximity' validation are in RFC 8995 Section 5.5.5 / 5.5.6 ; roughly it includes checking the nonce in both PVR/RVR, and inspecting the prior-signed-voucher-request (PVR) inside the RVR, and ensuring the PVR has a proximity-registrar-cert that "is consistent with" the signing entity of the RVR.
(This allows some interpretation freedom - "consistent" could mean the same entity, or it could mean another RA entity located under the same Domain CA. In the simplest Registrar implementation it would just be the exact same (RA) entity.)

It's up to the vendor to device whether their Pledge would accept "logged" vouchers or not.  @Steffen is there anything that still needs to be clarified in RFC 8995 5.5.x for your use case?

Esko

-----Original Message-----
From: Fries, Steffen <steffen.fries=40siemens.com@dmarc.ietf.org> 
Sent: Monday, September 2, 2024 14:53
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Subject: [Anima] Re: Question regarding use of assertions in vouchers in RFC8366bis

> -----Original Message-----
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> Sent: Monday, September 2, 2024 2:40 PM
> Fries, Steffen <steffen.fries@siemens.com> wrote:
>     > For the specific issue, we may think about having distinct statements
>     > that relate to a supply chain integration (verified, logged) and some
>     > other distinct statements, which relate to the interaction in the
>     > customer domain (proximity, agent-proximity).
> 
> Do you have a specific situation/need which is not covered yet?
[stf] The scenario we were talking about is a product, which is provided via a distributor. The manufacturer has no direct sales channel to the end customer.
The end customer does the onboarding based on BRSKI and the MASA would have the option to signal "logged" or "proximity". 
Do we have a recommendation how the MASA would behave? The decision of the MASA may also have effects on the pledge, if the pledge only takes "proximity" vouchers. 

Best regards
Steffen
_______________________________________________
Anima mailing list -- anima@ietf.org
To unsubscribe send an email to anima-leave@ietf.org