Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 18 August 2019 19:55 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18B991201E3; Sun, 18 Aug 2019 12:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdVMWfAPiVHd; Sun, 18 Aug 2019 12:55:41 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 755601200B9; Sun, 18 Aug 2019 12:55:41 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 619E5380BE; Sun, 18 Aug 2019 15:54:46 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 56310B2D; Sun, 18 Aug 2019 15:55:40 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, tte+ietf@cs.fau.de, anima-chairs@ietf.org, The IESG <iesg@ietf.org>, anima@ietf.org
In-Reply-To: <6d0cfaaf-2d1d-4120-85a2-2f613d0f696c@www.fastmail.com>
References: <156285123896.32459.15810474411321920381.idtracker@ietfa.amsl.com> <27800.1563297174@localhost> <b194301a-59f0-4edb-a387-d6cda1b3b599@www.fastmail.com> <9325.1563492610@localhost> <6d0cfaaf-2d1d-4120-85a2-2f613d0f696c@www.fastmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 18 Aug 2019 15:55:40 -0400
Message-ID: <692.1566158140@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/eXVx7WOfkLCbg_lEbjTSmxhLcS4>
Subject: Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 19:55:44 -0000
Alexey Melnikov <aamelnikov@fastmail.fm> wrote: >> Alexey Melnikov <aamelnikov@fastmail.fm> wrote: >> >> > o In the language of [RFC6125] this provides for a SERIALNUM-ID > >> >> category of identifier that can be included in a certificate and > >> >> therefore that can also be used for matching purposes. The > >> >> SERIALNUM-ID whitelist is collated according to manufacturer trust > >> >> anchor since serial numbers are not globally unique. >> >> > This is actually not helping. I was looking for something like: >> >> > DNS-ID = a subjectAltName entry of type dNSName >> >> > Basically I was asking for a definition of SERIALNUM-ID somewhere. >> >> It's a (subject)DN of serial number=123456, not a subjectAltName. >> (not the CertificateSerialNumber) > In this case, you need to use CN-ID as the base for the definition. The > important part there is that the RDN can't be repeated multiple times > in a DN. If it does, that would make the whole DN not suitable for use > a la RFC 6125. To recap, we have changed the text to avoid multiple references to 6125. We use a reference to LDAP (rfc4519), because that's where the fields get a clear statment as to how to present them. We don't need to do RFC6125 matching on certificates to URLs, etc. for the TLS Client Certificates, so rfc6125 does not really help anyone, so the discussion about CN-ID seems to just distract. 2.3.1. Identification of the Pledge | In the context of BRSKI, pledges have a 1:1 relationship with a "serial-number". This serial-number is used both in the "serial- number" field of voucher or voucher-requests (see Section 3) and in local policies on registrar or MASA (see Section 5). | The serialNumber fields is defined in [RFC5280], and is a SHOULD | field in [IDevID]. IDevID certificates for use with this protocol | MUST include the "serialNumber" attribute with the device's unique | serial number (from [IDevID] section 7.2.8, and [RFC5280] section | 4.1.2.4's list of standard attributes). | The serialNumber field is used as follows by the pledge to build the | "serial-number" that is placed in the voucher-request. In order to | build it, the fields need to be converted into a serial-number of | "type string". | An example of a printable form of the "serialNumber" field is | provided in [RFC4519] section 2.31 ("WI-3005"). That section further | provides equality and syntax attributes. | Due to the reality of existing device identity provisioning | processes, some manufacturers have stored serial-numbers in other | fields. Registrar's SHOULD be configurable, on a per-manufacturer | basis, to look for serial-number equivalents in other fields. As explained in Section 5.5 the Registrar MUST extract the serial- number again itself from the pledge's TLS certificate. It can consult the serial-number in the pledge-request if there are any | possible confusion about the source of the serial-number. ... section 5 now jus says: The extensions for a registrar (equivalent to EST server) are: o Client authentication is automated using Initial Device Identity (IDevID) as per the EST certificate based client authentication. The subject field's DN encoding MUST include the "serialNumber" | attribute with the device's unique serial number as explained in | Section 2.3.1 -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Alexey Melnikov's Discuss on draft-ietf-a… Alexey Melnikov via Datatracker
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- [Anima] a note on the rfcdiff for draft-ietf-anim… Michael Richardson
- Re: [Anima] a note on the rfcdiff for draft-ietf-… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Alexey Melnikov
- Re: [Anima] Alexey Melnikov's Discuss on draft-ie… Michael Richardson