Re: [Anima] about moving /.well-known/est/enrollstatus ??

Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 18 September 2020 12:03 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663913A076F for <anima@ietfa.amsl.com>; Fri, 18 Sep 2020 05:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QGB0FS-cUcbY for <anima@ietfa.amsl.com>; Fri, 18 Sep 2020 05:03:03 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20131.outbound.protection.outlook.com [40.107.2.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9B233A0763 for <anima@ietf.org>; Fri, 18 Sep 2020 05:03:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TetTxJdJdgMPPR1EujLF35oiIVGJ2Jr6M73UAPZkILCioD5SYiBBHK13DhdOzdrTcMgjIsgGavMlhKgaavX2Fon1dwLaeiF0aQNEBoTI5xrH+BJIPRHgZ1H2KoS6L1bEMUroymK7HKac/DA86ECb4jfW3W+wXdxv0XZ6ZQRe+2Xh4bloZYEbArM5EWA2lZT1ZiQ+Q09B7SwLBIqmtmn3uwGyGlfEtcZRUafnSaXCocufnoKRUEhU0vaPdInjMEZUqXWDcfXOEecO4HBqkwZxkDyhI2RURrhwPz1bRvKTsIaNTgSqmwGpNWPlz3XSm7ie3fJMDf2jQFng70f4xSK3YA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wdO4/aUUCPRUOxXLxHJXRGU0TcorrLxPij3z3jAwysM=; b=bB5aTWvr9UmRhNKRAZhOZLv/3O1eV+LWQI5N6mktmQymgMTVk81XuuenS/2gHh76spplY+zDMm5eycn7drd9oL/ZNLr7DwjcADohjyn3Jgv/ViROkzlJ27IVNZUKSZMe5OOm4ovDUBlqhKTc7Ua1dX+O0dRlMgLOHc2n/jVxM+V/nSSOXoRJiOsxHYl69uAVhrYG8RmF52ylr+VdukMDMUQPptG1Ev6YZb3t/zGuG4QvBwgwyHqfjankwJ0i4yCaiirka4u+yCb2xYm0qXYI+EEJZukqeIqwtATZjV+0vPgKycGECmyGeQ+emfSzlVzaiF/JphnI92t3RantwSD5Pw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wdO4/aUUCPRUOxXLxHJXRGU0TcorrLxPij3z3jAwysM=; b=VGmhwqmU8NX0ZrS+Kyz/wUd37hyRxnV5wTywyxKG8k7LOJE8s78QpTozKUHCMMV4pWky9WQR2zdQklWgDmYSiZRKtRgrkfGdlgmqELeF49HLKvtpK1YlHVaj0FPHFVdLX3KgWxYnHM6Tu0orOtHZoUtRGroPGcrCwpqg8gjTjCo=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM8P190MB1012.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1c6::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Fri, 18 Sep 2020 12:03:00 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::fcd5:1600:7331:bb3a]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::fcd5:1600:7331:bb3a%6]) with mapi id 15.20.3391.011; Fri, 18 Sep 2020 12:02:58 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "Fries, Steffen" <steffen.fries@siemens.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] about moving /.well-known/est/enrollstatus ??
Thread-Index: AQHWjGL80q7aTUTzJESaSVZkb8CvjqltJhMAgADKsICAAFjB8A==
Date: Fri, 18 Sep 2020 12:02:58 +0000
Message-ID: <AM8P190MB0979454935D2D233A817AAC5FD3F0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <16833.1600285962@localhost> <770760586ca24a30a38d5b4820cacfa5@siemens.com> <fe9cdde4c4aa4c63936c393c6eb19469@siemens.com>
In-Reply-To: <fe9cdde4c4aa4c63936c393c6eb19469@siemens.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-09-17T18:21:54Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=6afdc2bf-0ade-4a7b-befb-ad11cdf5ef53; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e8cbfc91-e72c-42f7-982e-08d85bcac91f
x-ms-traffictypediagnostic: AM8P190MB1012:
x-microsoft-antispam-prvs: <AM8P190MB1012CD04BA79A88493211A01FD3F0@AM8P190MB1012.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qNMy2gqhjnmiObzOeNLDnluDnv8d+OWPWt2pTA9uPkWH5A2PZ9Fs+oJX5qeVrLD8yJMX2y4VyNho7HCYMb6tf51FFVXPhBksqmG8AOw664b/4DvdaS0OPYQ9iSPmLIXaPby7Y17mB7e/zx5hX0UakSwZRmbpGiJAi5xo3aYeamUM/Bshi68+2Ndgo5lBVAkBrE4/JZH/7bE/TTmRy3ALRktHsOiaZo7ANrw2ok+oD70xylSsa4XN16Bp5elMRk1Cd3ay9vMX3aTw4fPc95ODlu8KhBaTu9gzQ5XiX8jp5ksVCS3pbT4oNCSLWfM5hXP3HhxDgfRVjwp0P+WMwDfP/JDQs3S8qHo6CXZa3xRLDQc5nOxB0hCP09IOB5Z//4PA+JcSYgARRwrYD7uDPzIaihm5CPv9sxpQc1KVjZ+M3BfjVf9nNhCOjQSOq54a84F14cRZCEdnnZXTl1qyFam2sg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(376002)(346002)(396003)(136003)(39830400003)(8676002)(71200400001)(86362001)(66446008)(52536014)(66476007)(66946007)(966005)(9686003)(64756008)(5660300002)(66556008)(76116006)(110136005)(55016002)(6506007)(7696005)(33656002)(316002)(2906002)(8936002)(53546011)(44832011)(66574015)(83380400001)(26005)(186003)(478600001)(21314003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: MxlSulJA+2modQrfS9QexRykgiPfajIS+7OxNyLRwqMt3fyn47kyCEp80ReLTAYIYGuJ83rZ/L7qNSEE7trAEBcAgORy2X3MLIMujcVebONZQxehL5OpEQC3zke1JhQZp2YBL5uxI/Y5y0DSPXKip7ZyUShQcUvy4Il/Q9HvTEunIdhKv5OzaW4BGogrlqQJnRD8620cFZXuSGvx0hdc+NIUo7GaurUHe9a8k2AiZ52hVkAoFXLxF2pVQnOXHvowz8//Bq6q34+ej9HxEpGjdzAUWiuB/qp7ASo6gIpQsWyRhnRw71ap1fEkOZxJYu3V5fbFjwvXjIhxTWiodPwVrOBtu9/jDn5951mxwC9MJgGPaMpBHEreZVu0qg+Y6SmfVvnJmBxf7ByU1GKyLZjDEOBpUbewpu97JcVroT+iJqRXuivTFud0HCgjvYr4+PwrNSy+CpJWOuSm8CtaerIW/yPRlKLZKfyPexrwUTSBw4e67KLHZK4grxRWiONGifsRAKwWWEqKoFPPi2L3460CzkGXD9EkdKSb/nle8BUnHM3awDaF28DZrDLr3MhuL5AZ8iZ/OKCoVdGn7Mtjw1LXiJdHx0xfRwym7oLkUMUhBOS+mOSM3YMr6hgSvoOqhUZW4XSuf42snJwSaAHbCjc+6w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e8cbfc91-e72c-42f7-982e-08d85bcac91f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 12:02:58.8259 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zO5KlSLaougGPCROkGTo0jkcy0+rISo65meIQMN+oBfExmukOW9CFq8z4Y13PLvrUfrsP7ljVPK6ZfTRBYlvmf3F8LUtin1EkfmnpQ/Hb4o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P190MB1012
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/QgQIzYX_TJeaXRQiLn9P8SC4NGQ>
Subject: Re: [Anima] about moving /.well-known/est/enrollstatus ??
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 12:03:05 -0000

Agree with moving the enrollstatus into the ".well-known/brski" domain. If the EST enrollment (which is a SHOULD as part of BRSKI, so a client might in principle use another protocol) fails for example then the failure to enroll would logically be reported back in the BRSKI context. 

Note: There are some issues in the current payload definition in BRSKI voucher status and enrollment status, I've created 
https://github.com/anima-wg/anima-bootstrap/issues/144
for these.

Is any help needed to author these updates? (Or does this need to be taken up in the errata once we publish as RFC...? I remember that people want to rather have it published than polished.)

Esko

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Fries, Steffen
Sent: Friday, September 18, 2020 08:27
To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; anima@ietf.org
Subject: Re: [Anima] about moving /.well-known/est/enrollstatus ??

> Sorry for the late replay on this. There is probably one fits all answer for this.
I definitely meant no single answer to this.

> The reason is that the enrollment protocols are defined different in that
> respect.
> - EST does not provide it out of the box, this was the reason to have it in
> BRSKI
> - CMP provides a certificate confirmation message (certConf).
> - CMC provides a confirmation message with the Confirm Certificate
> Acceptance Control
> - SCEP explicitly mentions the lack of the certificate confirmation message in
> the security consideration section
> - ACME seems to not provide it either.
> 
> Given that it would make sense to move it to /brski to make it independent
> from EST.
> Contrary, BRSKI-AE that would benefit from the /est to /brski change by
> making the enrollment protocol choice independent form the voucher
> exchange builds on authenticated self-contained objects (signature wrapped
> objects). These are currently supported by EST with fullcmc, CMP, and CMC.
> SCEP from my understanding does not support enrollment using a certificate
> from a different issuing CA. It supports reenrollment  using the existing
> certificate but not initial enrollment as the IDevID would be issued from a
> different CA. That was at least my understanding by reading section 2.3 of
> SCEP.
> Based on the assumption that CMP and CMC provide the signature wrapping
> without limitations and also support certificate confirmation messages, it
> seems to be only applicable to EST (simpleenroll or fullcmc). That would
> rather indicate to keep "/.well-known/est/enrollstatus" as is.
After thinking twice about it and also rereading section 5.9.4 of BRSKI, I would suggest to also move enrollstatus to "/.well-known/brski/enrollstatus".
The reason for this is the following: 
- enrollstatus has been introduced to inform the registrar that the pledge confirms it has received the certificate and can use it.
- as stated in section 5.9.4 of BRSKI, enrollstatus can also be used to signal " attempted bootstrapping messages seen by the client". This is definitely an additional information not covered in existing certificate confirmation messages that the client at least tried enrollment but may not have been successful.
- The certificate confirmation messages defined in protocols like CMP and CMC are intended to also inform the CA, which would mean it is a message further forwarded by the registrar. This also means that additional information for the registrar, e.g., about enrollment attempts may not be contained in these messages.

Based on that the enrollstatus provides a value to the registrar independent of the enrollment protocol chosen. 

Best regards
Steffen




> 
> Best regards
> Steffen
> 
> > -----Original Message-----
> > From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
> > Sent: Mittwoch, 16. September 2020 21:53
> > To: anima@ietf.org
> > Subject: [Anima] about moving /.well-known/est/enrollstatus ??
> >
> >
> > One of the changes in the diff that I thought I had raised, but got no
> > discussion was enrollstatus.
> >
> > There are two telemetry status reports that BRSKI added .. "to EST".
> > The first is the /.well-known/est/voucher_status. This is a report on
> > whether the voucher was acceptable.  This is entirely RFC8366/BRSKI
> > content, and is completely independant of the certificate enrollment
> > protocol.  It should change to /.well-known/brski/voucher_status.
> >
> > The second one, described in section 5.9.4 is about whether or not the
> > certificate was enrolled correctly.   This provides feedback about whether
> or
> > not the new certificate was retrieved and installed correctly.
> >
> > It says to use the new certificate and report.
> > It's not that interesting when there is success.
> >
> > It's more interesting when there is a failure of some kind.
> > As such, it is unclear to me if this is tied up in EST only, or
> > whether this is really a BRSKI thing.
> > It's not BRSKI/RFC8366 that failed, it's EST/CMP/SCEP/pixie-dust that failed.
> >
> > It seems that moving it to /brski is acceptable, but it might be that
> > it should remain in /est.  I am not steeped in the art of CMP or SCEP
> > or ???, so I don't know if what we've done for EST will translate well.
> >
> > I do not feel strongly either way, but in the diff I left a ?XXX
> > because I didn't know.
> > I am sorry to bring this up during the IETF last-call: I think that I
> > just need some confirmation from CMP experts that we aren't creating
> > something that is unimplementable.
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
> >            Sandelman Software Works Inc, Ottawa and Worldwide
> >
> >
> >

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima