[Anima] BRSKI<->ACME use case (was: Re: FWD: ACME for devices side meeting)
Toerless Eckert <tte@cs.fau.de> Wed, 24 July 2019 22:34 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970B71203B8 for <anima@ietfa.amsl.com>; Wed, 24 Jul 2019 15:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doYVHjlFnD5i for <anima@ietfa.amsl.com>; Wed, 24 Jul 2019 15:34:37 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76D86120110 for <anima@ietf.org>; Wed, 24 Jul 2019 15:34:37 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 5A95E54806A; Thu, 25 Jul 2019 00:34:32 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 49921440041; Thu, 25 Jul 2019 00:34:32 +0200 (CEST)
Date: Thu, 25 Jul 2019 00:34:32 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: anima@ietf.org
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>
Message-ID: <20190724223432.ryydigwlh5gtiobw@faui48f.informatik.uni-erlangen.de>
References: <DM6PR11MB3385255D58A133B186AA547EDBC60@DM6PR11MB3385.namprd11.prod.outlook.com> <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de> <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/h_Q8DhP4vCnWIaCok_MlgV51t7A>
Subject: [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME for devices side meeting)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 22:34:39 -0000
Some thoughts about draft-friel-acme-integration also after the ACME side meeting.
Talking to Owen after ANIMA, he explained the use case for his draft,
which would be great to include into a rev. At least i hope i wasn't
the only one to whom it wasn't completely obvious even without being
stated ;-))
The way i would desribe the use-case is this:
You are an enterprise or home, you may have some BRSKI like
infrastructure (cloud-based, local, whatever) that helps to auto-enroll
any type of devices you want to use in your network, but: Many of these
devices will have a web-server to access/control/use them, and when
you access them via a browser there is the issue that web browsers
will complain unless the device is enrolled with a certificate signed
by a public PKI CA (in the browsers TA list) and can be used to
authenticate the domain name the device is using.
This is where ACME comes in because the key thing separating itself from
EST is that it has the mechanisms so RA (registrars) can provide proof
of ownership of a DNS domain/prefixes for which they can then request
certificates. At least thats how i understood the explanation given to me.
So, i would certainly welcome if we made sure BRSKI<->ACME can be made
to work well.
Another thing coming to mind: devices that have a web-server will
support TCP, so they won't pose the problem of having to change the
basic transport protocol to use for BRSKI, unlike the constrained "iot"
devices, where we have to use protocols like CoAP. And given how
we made sure that the ANI certificate pieces do not conflict with any
type of certifictes attributes required for "web certificates", this
should also all work well with not only BRSKI but even ANI (using
certificates with the ACP rfc822Name). At least this would be my hope,
and certainly something i would like to verify with ACME.
Cheer
Toerless
On Thu, Jul 25, 2019 at 12:00:15AM +0200, Toerless Eckert wrote:
> Owen sent the following nice notes about the side meeting.
> Will comment separately. Bcc'ing the original recipients.
>
> On Wed, Jul 24, 2019 at 08:26:20PM +0000, Owen Friel (ofriel) wrote:
> > Minutes from today's meeting.
> >
> > General consensus that figuring out how to use ACME for issuance of device/client certs is a good idea
> >
> > There are (at least) three related drafts in this space
> > - draft-yusef-acme-3rd-party-device-attestation
> > - draft-friel-acme-integrations
> > - draft-moriarty-acme-client
> >
> > draft-moriarty-acme-client
> > - outlines several use cases for client and device certs
> > - as Kathleen could not make the meeting, we didn't discuss this in detail
> >
> > draft-yusef-acme-3rd-party-device-attestation and subsections of draft-friel-acme-integrations are trying to solve similar problems:
> > - leverage a cloud service to assist in ownership proofs for devices
> > - use ACME to issue LDevID certificates to devices
> >
> > draft-yusef-acme-3rd-party-device-attestation
> > - assumes devices have self-signed certs, not certs signed by a manufacturer private CA
> > - The BRSKI-ACME flow Rifaat presented uses a vendor default BRSKI registrar, and is a reasonable starting point for device's getting certs from ACME
> > - This flow is not currently documented in Rifaat's draft
> > - We can probably avoid the need for ACME to understand the vendor's JWT
> >
> > draft-friel-acme-integrations
> > - documents (partially) the BRSKI-ACME flow but uses a local domain registrar, not the vendor default registrar
> >
> > draft-ietf-anima-bootstrapping-keyinfra
> > - underspecifies how the MASA should handle Voucher Requests directly from the Pledge i.e. the Cloud Registrar use case
> > - Toerless suggests that this clarification could be a small standalone document
> >
> > No draft currently sufficiently specifies how the pledge/device should generate a CSR subject/SAN that will keep ACME happy
> >
> > The EST/BRSKI sections of draft-friel-acme-integrations, and draft-yusef-acme-3rd-party-device-attestation, probably need to be combined by a new draft
> > - if the device is going to use a self-signed cert, then how the EST RA validates device identity needs to be specified as this is a change from BRSKI
> >
> > The ACME subdomain use case needs to be split out from draft-friel-acme-integrations into a separate small document
> >
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
--
---
tte@cs.fau.de
- [Anima] FWD: ACME for devices side meeting Toerless Eckert
- [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME… Toerless Eckert
- [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Brian E Carpenter