IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

"Fries, Steffen" <steffen.fries@siemens.com> Wed, 29 May 2019 15:07 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E464112016C for <anima@ietfa.amsl.com>; Wed, 29 May 2019 08:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUnNXO_lohMH for <anima@ietfa.amsl.com>; Wed, 29 May 2019 08:07:10 -0700 (PDT)
Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F23012015E for <anima@ietf.org>; Wed, 29 May 2019 08:06:59 -0700 (PDT)
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x4TF6umQ020644 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <anima@ietf.org>; Wed, 29 May 2019 17:06:56 +0200
Received: from DEFTHW99ERHMSX.ww902.siemens.net (defthw99erhmsx.ww902.siemens.net [139.22.70.133]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTPS id x4TF6u4u028528 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <anima@ietf.org>; Wed, 29 May 2019 17:06:56 +0200
Received: from DEFTHW99ERPMSX.ww902.siemens.net (139.22.70.202) by DEFTHW99ERHMSX.ww902.siemens.net (139.22.70.133) with Microsoft SMTP Server (TLS) id 14.3.435.0; Wed, 29 May 2019 17:06:56 +0200
Received: from DENBGAT9EJ5MSX.ww902.siemens.net ([169.254.12.220]) by DEFTHW99ERPMSX.ww902.siemens.net ([139.22.70.202]) with mapi id 14.03.0435.000; Wed, 29 May 2019 17:06:55 +0200
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
Thread-Index: AQHVEBsnSObOmAdIkUSiNyOqoj43mqaCPatw
Date: Wed, 29 May 2019 15:06:54 +0000
Message-ID: <E6C9F0E527F94F4692731382340B337826FA1C58@DENBGAT9EJ5MSX.ww902.siemens.net>
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com>
In-Reply-To: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-document-confidentiality: NotClassified
x-originating-ip: [139.22.70.50]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Yvhz6IuBVjs_1yvYN4L44DYMLCo>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 15:07:15 -0000

Hi,

As this is the last call, it may not be to late to ask the question. I read the draft a couple of times and was stumbling upon the following: 

In Figure 1 of the BRSKI draft, for the communication between the Domain Registrar (RA) and the Key Infrastructure (CA), EST is stated. 
>From my understanding of the description EST as enrollment protocol between an RA and the CA is meant exemplary but not prescriptive? From the protocol flow for the enrollment itself I understood BRSKI describes the flow until the Domain Registrar but is open regarding the protocol applied between the domain registrar and the CA. It may be EST. 

Is my understanding right? If yes, would it be appropriate to state "e.g., EST (RFC 7030)" in the figure to make clear it is an example?

Best regards
Steffen

> -----Original Message-----
> From: Anima <anima-bounces@ietf.org> On Behalf Of The IESG
> Sent: Dienstag, 21. Mai 2019 23:21
> To: IETF-Announce <ietf-announce@ietf.org>
> Cc: ibagdona@gmail.com; draft-ietf-anima-bootstrapping-keyinfra@ietf.org; anima@ietf.org; anima-chairs@ietf.org;
> tte+ietf@cs.fau.de
> Subject: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures
> (BRSKI)) to Proposed Standard
> 
> 
> The IESG has received a request from the Autonomic Networking Integrated Model and Approach WG (anima) to consider the
> following document: - 'Bootstrapping Remote Secure Key Infrastructures (BRSKI)'
>   <draft-ietf-anima-bootstrapping-keyinfra-20.txt> as Proposed Standard
> 
> This is a second Last Call. IoT Directorate review was done after the ANIMA WG Last Call and consensus to request the publication, and
> that review resulted in substantial changes to the document.
> 
> The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive
> comments to the ietf@ietf.org mailing lists by 2019-06-04. Exceptionally, comments may be sent to iesg@ietf.org instead. In either
> case, please retain the beginning of the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>    This document specifies automated bootstrapping of an Autonomic
>    Control Plane.  To do this a remote secure key infrastructure (BRSKI)
>    is created using manufacturer installed X.509 certificate, in
>    combination with a manufacturer's authorizing service, both online
>    and offline.  Bootstrapping a new device can occur using a routable
>    address and a cloud service, or using only link-local connectivity,
>    or on limited/disconnected networks.  Support for lower security
>    models, including devices with minimal identity, is described for
>    legacy reasons but not encouraged.  Bootstrapping is complete when
>    the cryptographic identity of the new key infrastructure is
>    successfully deployed to the device but the established secure
>    connection can be used to deploy a locally issued certificate to the
>    device as well.
> 
> 
> 
> 
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/
> 
> IESG discussion can be tracked via
> https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/ballot/
> 
> The following IPR Declarations may be related to this I-D:
> 
>    https://datatracker.ietf.org/ipr/2816/
>    https://datatracker.ietf.org/ipr/3233/
>    https://datatracker.ietf.org/ipr/2463/
> 
> 
> 
> The document contains these normative downward references.
> See RFC 3967 for additional information:
>     rfc8368: Using an Autonomic Control Plane for Stable Connectivity of Network Operations, Administration, and Maintenance (OAM)
> (Informational - IETF stream)
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email