[Anima] My comments about draft-richardson-anima-voucher-delegation-00:

"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Fri, 28 February 2020 06:37 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 145AF3A1147 for <anima@ietfa.amsl.com>; Thu, 27 Feb 2020 22:37:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3b46jL73j7No for <anima@ietfa.amsl.com>; Thu, 27 Feb 2020 22:37:43 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9693A1146 for <anima@ietf.org>; Thu, 27 Feb 2020 22:37:43 -0800 (PST)
Received: from LHREML713-CAH.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id 6340ECAE5FA861E0AB79 for <anima@ietf.org>; Fri, 28 Feb 2020 06:37:41 +0000 (GMT)
Received: from lhreml708-chm.china.huawei.com ( by LHREML713-CAH.china.huawei.com ( with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 28 Feb 2020 06:37:40 +0000
Received: from lhreml708-chm.china.huawei.com ( by lhreml708-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Fri, 28 Feb 2020 06:37:40 +0000
Received: from DGGEMM404-HUB.china.huawei.com ( by lhreml708-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1713.5 via Frontend Transport; Fri, 28 Feb 2020 06:37:40 +0000
Received: from DGGEMM531-MBS.china.huawei.com ([]) by DGGEMM404-HUB.china.huawei.com ([]) with mapi id 14.03.0439.000; Fri, 28 Feb 2020 14:37:35 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: My comments about draft-richardson-anima-voucher-delegation-00:
Thread-Index: AdXuAWluOjgkqUnQTz6LlayjkXYHRQ==
Date: Fri, 28 Feb 2020 06:37:35 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F13EC88B43@DGGEMM531-MBS.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F13EC88B43DGGEMM531MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/dv699_CWkWclSTAS3mHfCFlDXN4>
Subject: [Anima] My comments about draft-richardson-anima-voucher-delegation-00:
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 06:37:46 -0000

Hi Michael,
This is an interesting draft, please see my comments as below:

pg 2:

   o  while the use of a nonceless voucher (see {{RFC8366} section 4)

      can permit the MASA to be offline, it still requires the public

      key/certificate of the Registrar to be known at issuing time


      don't think it as one disadvantage of the BRSKI. As even for the DASA

      solution, the public key of the registrar are still required to be

      known at issuing time. At least, this sentence has not clarified the

      real problem clearly.

pg 2:

   o  the MASA must also approve all transfers of ownership, impacting

      the rights of the initial seller to transfer ownership as they see



      here, the initial seller seems not very accurate. Who is the initial

      seller? Actually, the term of "any re-seller/distributer" are more

      accurate here.

pg 2:

   o  if the Registrar has any nonceless vouchers, then it can not

      change it's public key, nor can it change which certification

      authority it uses


      How can the DASA address this problem?

pg 2:

   o  the creator of an assembly of parts/components can speak for the

      entire assembly of parts in a transparent way


      the creator means the vendor?

pg 2:

1.1.1.  Disconnected or Offline MASA

   A Registrar wishes to onboard devices while not being connected to

   the Internet.


      how to achieve this goal? by pro-provisioning the related delegation

      vouchers to the device?

pg 2:

1.1.2.  Resale of devices

   An owner of a device wishes to resale devices which have previously

   been onboarded to a third party without specific authorization from

   the manufacturer.


   Does the resoled devices have to be onboarded before?

pg 3:



   assembly means?

pg 3:

   The sub-components of the assembly needs

   to communicate with other sub-components, and so all the parts need

   to transparently onboarded.

comment:  clarification requested.

pg 3:

   This delegation can potentially be repeated multiple times to enable

   second, third, or n-th level of resale.


    So, there should be 0..n intermediate vouchers and only one end voucher in the device. right?

pg 3:

   The delegation voucher pins the identity of the delegated authority

   using a variety of different mechanisms which are covered in

   Section 7.


   why do we need a variety of different mechanisms?

   Is one mechanism defined in this draft not enough?

pg 5:

   Delegation Voucher:  a Delegation Voucher is an [RFC8366] format

      voucher that has additional fields to provide detailed the entity

      to which authority has been delegated.


   nit: to provide details of the entity...

   We need a very clear relation description among the 3 kinds of voucher:

   delegation voucher, intermediate voucher and end voucher. Leave it to the

   later discussion!

pg 5:

   Intermediate Voucher:  a voucher that is not the final voucher

      linking a pledge to its owner.


   Does intermediate voucher equal to the delegated voucher? I think so.

pg 5:

   End Voucher:  a voucher that is the final voucher linking a pledge to

      its owner.


   Does end voucher equal to the normal voucher? I think so.

pg 5:

   There are a few new fields: pinned-delegation-certificate-authority,

   pinned-delegation-name, delegation-count.


   we need the definition of this new fields, not only in the description of the yang model, I think.

   and some nits: countdown, miss delegation-voucher and


pg 7:

   leaf pinned-certificate-authority {


   How does the upper-layer MASA/DASA know the pinned-certificate-authority

   which will delegtate out?

pg 7:

   leaf delegation-voucher {


   a chain of delegation-vouchers on the delegation path? or a nested voucher structure?

   And the voucher is a CMS structure with signature, right?

   if there is delegation information, it should be in this

   delegation-voucher field. And for the MASA created voucher, it should not

   include the delegation-voucher, since it is the up-most entity in the

   supply chain and no other entity can delegate the authority to it, right?

   How about the new DASA URL?

pg 8:

           leaf delegation-countdown {

             type int16;


             "Number of delegations still available. If zero

              or omitted, then this is a terminal voucher and

              may not be further delegated";


  terminal voucher is not end voucher!

  It should be the initial voucher created by the MASA and does not include

  delegation-voucher field, right?

  Furthermore, it seems that the countdown field is redundant with the


pg 8:



  Who sign the end voucher?

  Can the intermediate voucher independently exist?

pg 8:

3.3.  Delegation of multiple devices

   A MASA MAY delegate multiple devices to the same Registrar by putting

   an array of items in the "serial-number" attributes.  (XXX-how to

   describe this in the YANG)


   What is the use case? Current BRSKI does not support this, but should?

pg 8:

   A pledge which has previously stored a delegation voucher and

   delegated authority, SHOULD include it in its voucher request.  This

   will be in the form of a certificate provided by the "previous"



   include it = include the delegation voucher?

   I still think that a delegation voucher can not really exist as an

   instance, it's actually an end voucher including a series of intermediate

   vouchers in itself.

pg 9:

   A certificate from the set of intermediate-identities is

   expected to validate the signature on this zeroth end-entity voucher.

   (XXX- This attribute can be replaced by the CMS certificate chain)


   The intermediate-identities list should have the same order with the

   intermediate voucher chain backwards along the delegation path to the


   In last sentence, it said that the zero voucher has not been signed. Here,

   how to validate its signature? Why is the regarding certificate expected

   to validate the zero voucher?

pg 9:

   working set of trust anchors.


   So, the pledge has multiple trust anchors possibly.

   So, the next question is how does the pledge or the registrar know which

   trust anchor to choose for next onboarding procedure?


This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!