IETF Logo Mail Archive

Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt

"Srihari Raghavan (srihari)" <srihari@cisco.com> Mon, 27 November 2023 19:05 UTC

Return-Path: <srihari@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8AAAC151095 for <anima@ietfa.amsl.com>; Mon, 27 Nov 2023 11:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.605
X-Spam-Level:
X-Spam-Status: No, score=-14.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="lCJtCyZg"; dkim=pass (1024-bit key) header.d=cisco.com header.b="jHVnes6b"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xVRPQ5NKc7L for <anima@ietfa.amsl.com>; Mon, 27 Nov 2023 11:05:03 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD2BAC151093 for <anima@ietf.org>; Mon, 27 Nov 2023 11:05:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8084; q=dns/txt; s=iport; t=1701111904; x=1702321504; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=fR3PY+QcSZPNjO1VbMarCHgWJZSTrseMXNhLDJpUYKc=; b=lCJtCyZgNINZ8VlGcfaCII+eG+6sv5EXVXrbMx+rSymVRNmiux0rJyqf OtJJD6WZ9gjShvqfytRWOCf7Tea/Q8VKuIaYnT+N/BzEhhjfGH78mFHbo KZT4bPeT3XoVjWgaVCxCxIIvj8RH7xi1WB21yHJ9dCXJRUu1RiIL6unDI o=;
X-CSE-ConnectionGUID: 5hB+3OIYSd2wzB2WbwAEjQ==
X-CSE-MsgGUID: K9H/L5jEQRGr8u1Rm1GNnA==
X-IPAS-Result: A0AaAABs52RlmJpdJa1aHAEBAQEBAQcBARIBAQQEAQFAJYEWBwEBCwGBZlJ4WzxIhFKDTAOETl+GQYIiA4ETkCiMQxSBEQNCFA8BAQENAQFEBAEBghKCdAIWhxMCJjQJDgECAgIBAQEBAwIDAQEBAQEBAQIBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhTsGJw2GRQEBAQECARIREQwBATUDBAcEAgEIEQQBAQECAiMDAgICMBQBCAgCBAESIoJegjwjAwGfGQGBQAKKKHqBMoEBggkBAQYEBbJuCYEaLgGIDAGBUIg+JxuCDYEVJwsQgjA4PoJhAoErARIBIRUCg0Q5gg0ig2yCcIIDFS4HMoEKDAmBBFqCd459CVQcBgVCcBsDBwN/DysHBC0bBwYJFBgVIwZRBCghCRMSPgSBYYFRCn8/Dw4Rgj0iAgc2NhlIglsVDDQERnYQKgQUF4ESBGobEx43ERIXDQMIdB0CESM8AwUDBDMKEg0LIQUUQgNFBkkLAwIaBQMDBIEzBQ0eAhAaBgwnAwMSTQIQFAM7AwMGAwsxAzBVRAxPA24fNgk8CwQMHwIbHg0nJQIyQgMRBRICFgMkFgQ2EQkLKwMvBjgCEwwGBgk9AxkrHUADC209NQYOGwY+AiYBozgZRhoKBB2BBAJIATcHAwQHGxMZD5J6ToMjjx6fFgqEDaEkBC+EAYxzmC1kmEAggjCgRA8JhH8CBAIEBQIOAQEGgWM6a3BwFWUBgjxSGQ+MUYFPDA0JFoNAj3l2OwIBBgEKAQEDCYhwLYFEAQE
IronPort-PHdr: A9a23:59w4mRPOVu9yWXf6OWol6nfIWUAX0o4cdiYP4ZYhzrVWfbvmo9LpP VfU4rNmi1qaFYnY6vcRk+PNqOigQm0P55+drWoPOIJBTR4LiMga3kQgDceJBFe9LavCZC0hF 8MEX1hgrDmgKUYAIM/lfBXJp2GqqzsbGxHxLw1wc//vG47blcWf3OGp8JqVaAJN13KxZLpoJ 0CupB7K/okO1JJ/I7w4zAfIpHYAd+VNkGVvI1/S1xqp7car95kl+CNV088=
IronPort-Data: A9a23:0ccl+KPhuCX9SYLvrR3al8FynXyQoLVcMsEvi/4bfWQNrUpz1mNWy WtOCjiEbvfZNDb1L9Fxbdi0/ElQvZHUn4QwGnM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCdaphyFjmF/kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/W1/lV e/a+ZWFYwb8gWEsaAr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQNbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WYK1su+TgAEmEvZaM3WecTHHz6thsNRRjVWEY0r4f7WBm7 /cULnUGaQqOwrnwy7OgQe4qjcMmRCXpFNpA4Tc7kneIVrB/HMyrr6bivbe02B8rnMFOFOzfT 8EYcjFoKh/HZnWjP39OU8Nvxbb52imXnztwiwO14o5q4UXq9iNrgKW0Ct+MVfqMbJAA9qqfj jmbpzuiWE5y2Mak4TOD83elru7CgS29X5gdfIBU7dZwi1GVg2cUEhBTDh2woOKyjQi1XNc3x 1EoFjQG8KgYtxeMb+jGU0enslTegRQDcvdSKrhvgO2S8Zb87wGcD2kCazdObt06qcM7LQDGM HfUz7sF4hQx6NWopWKhy1uCkd+l1cEowYIqfyQIS04O5MPu5dp1hRPURdElG6mw5jEUJd0S6 27WxMTdr+xP5SLu60ld1QuX695LjsSRJjPZHi2NAgqYAvpRPeZJnbCA51nB9upnJ42EVFSHt 3Vss5HBtLlWV8rRynLWHr5l8FSVCxCtbW20bblHQcBJythR0yf7FWytyGgnexg3ap5slcHBO h6D4mu9G6O/zFPxMPcoONjuYyjb5aPhDt/iHuvFdcZDZ4M5dQmMuklTib24gQjQfLwXufhnY /+zKJ/0ZV5DUPgP5GTtHY81j+R0rh3SMEuOH/gXOTz9j+rHDJNUIJ9YWGazghcRt/nV+lWPr IwBb6NnCXx3CYXDX8UeyqZKRXgiJnkgDpewoMtSHtNv6CI/cI39I5c9GY8cRrE=
IronPort-HdrOrdr: A9a23:jX5KLK+d2rfEI2SCoOhuk+Gkdr1zdoMgy1knxilNoENuA6+lfp GV/MjziyWUtN9IYgBfpTnhAsW9qeu1z+863WBjB8bSYOCAghroEGgC1/qs/9SEIVydygcz79 YbT0ETMqyWMbE+t7eE3ODaKadh/DDkytHUuQ629R4EJm8aDtAF0+46MHfmLqQcfng+OXNNLu vm2iMxnUvZRZ14VLXcOlA1G8L4i5ngkpXgbRQaBxghxjWvoFqTgoLSIlyz5DtbdylA74sD3A H+/jAR4J/Nj9iLjjvnk0PD5ZVfn9XsjvFZAtaXt8QTIjLwzi61eYVIQdS5zXIIidDqzGxvvM jHoh8mMcg2wWjWZHuJrRzk3BSl+Coy6kXl1USTjRLY0InErXMBeo58bLBiA13kAnkbzYhBOW VwrjqkXq9sfFT9deLGloP1vl9R5xCJSDEZ4J4uZjRkIPgjgflq3M8iFIc/KuZdIMo8g7pXTd WHRqvnlYRrWELfYHbDsmZ1xtuwGnw1AxedW0AH/teYyj5MgRlCvgElLeEk7z89HagGOtJ5zv WBNr4tmKBFT8cQY644DOAdQdGvAmiIRR7XKmqdLVnuCalCYhv22tLKyaRw4PvvdI0DzZM0lp iEWFREtXQqc0arDcGVxpVE/h3EXW34VzXwzcNV4YR/p9THNffWGDzGTEprn9qrov0ZDMGeU/ GvOIhOC/umNmfqEZYh5Xy2Z3CTEwhpbCQ4gKdNZ7vVmLO/FmTDjJ2uTMru
X-Talos-CUID: 9a23:nopm5m4I/bDPvMBpENssqU4+WZsCU0zmwC3PMWXiNmx2YZCXcArF
X-Talos-MUID: 9a23:VjIW/gr1YYAYqN6D8E4ezxIzFIBMvqaDMXoii8Ub4vOBbANWPR7I2Q==
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Nov 2023 19:05:03 +0000
Received: from rcdn-opgw-4.cisco.com (rcdn-opgw-4.cisco.com [72.163.7.165]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 3ARJ51mQ002623 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <anima@ietf.org>; Mon, 27 Nov 2023 19:05:02 GMT
X-CSE-ConnectionGUID: qUCn+gs+R76hWHFh6CjUVg==
X-CSE-MsgGUID: bfrkgGYXSySCNZuxoENf9Q==
Authentication-Results: rcdn-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=srihari@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.04,231,1695686400"; d="scan'208";a="12115253"
Received: from mail-co1nam11lp2169.outbound.protection.outlook.com (HELO NAM11-CO1-obe.outbound.protection.outlook.com) ([104.47.56.169]) by rcdn-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Nov 2023 19:05:00 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MX0a6JKyV9vCfGScltV0BeCMCgqblurV70xk0pLMRTBF2RE0CkNDQz5GJ0d+RW2R8FwOCpzobXQrkAFvThEog34A9lPoh3Xzsk/JLKHILI59diETdhOpw/mjYD3Qfz1t2RuUpaf5uA0/eCDpmDUXOOkPal8JEQLjxsUDhQAAyRRJjoY1BCR6BNF03EpfW+UxYxnYiXxT1sgoK2het+ZQUwVDs6BmrgNq5ervqgtCoDXTjGL0WaEJHribZHumcQqgAoMpK2WOcP5W/iitMUOZ49z9u6U13KcP45g96hcgOyn6gFdeB1gpIjYSpJw9vrd3BG56TditFRZfRKTjTV9QGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fR3PY+QcSZPNjO1VbMarCHgWJZSTrseMXNhLDJpUYKc=; b=RjKDgD7hlM2H/KIsAIdJYPR8zAukfPTbpy6yLIj7cmfBA3HmqQgd5OM0aHyHR1c4MXr7ZFxFl9166b3zMOpT8WK9ZbbB2YRNV1DuMRBY5v6JNzUzKn6edmsIIkjBvxfXu8WFxw7ZkqvBO9vIYcFzZPehz1sN9Aj6T0bCNo0x42vZwAXaZaMMOogjKN3xyOcUPBXJGrbOtwZngjntACxZ/U5IMbkgg0G7XTjW7HxHwQJL+0C1bQ6lgQfth3vF6wiWMjKf3GeAUyF247a2m0KNFWw7InTvzyCQSb6duK5+eoJ/+CN/8juPBkHnJSWdJNJtQSU8c2omOMU/vWGJ3f+ewA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fR3PY+QcSZPNjO1VbMarCHgWJZSTrseMXNhLDJpUYKc=; b=jHVnes6bCcsRC+wD2xyXV7znm9pYZthRL4pC76snkCD7ewJB+jTl6a+wErGJxMyCWvlRg9FsrMrgNgL+5kBJFPK+q06q3RaLqJfPhu6Gd0Gun1sd4G41Swv+kDVWCTGdqjsKLK01hLNscEUULDFIpwZOK/PWNZMjbgF1unbjXhs=
Received: from BYAPR11MB3815.namprd11.prod.outlook.com (2603:10b6:a03:fa::27) by DM8PR11MB5653.namprd11.prod.outlook.com (2603:10b6:8:25::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7025.29; Mon, 27 Nov 2023 19:04:58 +0000
Received: from BYAPR11MB3815.namprd11.prod.outlook.com ([fe80::b72c:660c:a013:4058]) by BYAPR11MB3815.namprd11.prod.outlook.com ([fe80::b72c:660c:a013:4058%5]) with mapi id 15.20.7025.022; Mon, 27 Nov 2023 19:04:58 +0000
From: "Srihari Raghavan (srihari)" <srihari@cisco.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>, "jabir Mohammed (jamohamm)" <jamohamm@cisco.com>, "Reda Haddad (rehaddad)" <rehaddad@cisco.com>, "Sandesh Rao (sandeshr)" <sandeshr@cisco.com>
Thread-Topic: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt
Thread-Index: AQHZktDn1f0sjF4tvUacYT89CYY8ja9y3Y4AgAAbeICAAGFjgP//rJqAgAxo6GCBEI/ggA==
Date: Mon, 27 Nov 2023 19:04:57 +0000
Message-ID: <FBF84ED9-2651-4DEB-BBDD-23C64644FEC9@cisco.com>
References: <168543538755.57544.11025538238647976477@ietfa.amsl.com> <78D5263E-C7B4-40A8-91E3-949B78DD801C@cisco.com> <3424246.1685462203@dyas> <A7BFB9F8-132C-4E10-92F2-C48AE8B9F17C@cisco.com> <3431043.1685465207@dyas> <DU0P190MB197888430BC0180EF61A116CFD50A@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB197888430BC0180EF61A116CFD50A@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.79.23111718
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BYAPR11MB3815:EE_|DM8PR11MB5653:EE_
x-ms-office365-filtering-correlation-id: 688e790f-8d91-4ef5-6cc0-08dbef7bc00c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2TZKgmSqvgceiBLmu7eTES0e0dHeO1dRSz8I5Rs8R/yMjyEPzeJguDS9Fq3AqsMWFhhYIFBLoD7mkR4xxsk6tM82qldVvjLvb5KcIaktoZd3zzjH1U/gNzf7Hg/i1pcfhUZrHZjpKBE1O5B47c0bKcwV7b/4ct+Kg1i12iMnMHvxd4BOyWCEWHqxpR+yRBnvtANxQm6bO5WhK5ytZduT6uryn8tHlQfvkcfbMbBXWiSCSbeziHnKkTdmyg/s/AcIh+lQqb1wYapp/cMiBQmLKj2yJrW5XSCXFTrjLcwgiEzy2uZFXqQo/WmOPPfsjVM+uL4ooVZH71Ko84IahgIvjToeLb/Gt+6L7mphimYxiBmex+9X0XrPhZZQvsMqfNPAhe5/pV9Xn14AQ5LTcrQaNhcV6NKr1BzMrKnj/r1ETKxhePAK1LwJb+eVS5AClfhE/aVn3ofs26HkqlRaCmB+MnrZiQwrb4rqUzSpmw8hHjRcMn7qopVHbvH/TFTdRcQzRad+TZ0XjBDUF0Ec+JYi1itpDoOd8kX1lu0fcNJ2VoqMOM5e47OsIunHdhuIacX9QtmHXEs41E7FGWWYQKPAfYYVmz1X/8zXbh2ymnca+Ivbiw7LgEHliylTBsUt/9TQTyCC/XbP4zlZ0u9loKESGEkLO+W1OZUy97c2RWXmaK5mjPfQ/i3WpRigVzMIX2aG
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3815.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(136003)(39860400002)(376002)(346002)(230173577357003)(230273577357003)(230922051799003)(451199024)(186009)(64100799003)(1800799012)(71200400001)(8936002)(8676002)(6512007)(6506007)(53546011)(66446008)(66476007)(66556008)(66946007)(91956017)(64756008)(110136005)(76116006)(316002)(6636002)(478600001)(6486002)(122000001)(15650500001)(33656002)(36756003)(38100700002)(41300700001)(38070700009)(86362001)(26005)(2906002)(2616005)(83380400001)(5660300002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JG7it056RxPfX/qN4+hBlT7aDTd+LclrcNw7nwHOLRNf1r1JgUfQBCVR70kNqGwyT2gxGXiF4FOj6lsDH2y3I0pMeNXa5aSgHYB+suXxEfB7XKShbeMPU55pVKVeZHPm27jR4wvUgh7bsTA3NoDsoCclHkVQ9fb3MYRy18QDbjgGuGf0x9nw22jUfxhQZRDqkkvD5xKzXjWxe8xUMzV4H7sEO0SvjlJzOZ5rXd6VWKG8zVSfclpGC836WZPVltoNgvqat+MIkwjNcaB68UrGsQvDe4O8UjdgicZk6XT47ZCucVZHklc6Qki9OgCpv4H9Fvd7ZhFRGgfS5En862Stu6xv0jrtM4ohgRyJ8GKN1bmBBMQz5cP/rsTt8cyZp5WJMawc+23BLxNfmn5e3/LkKZBiVelT3DrgQVEPGTDYUK9E0eC3uJ+k21/cw1nXTnW5M/3EqUgmuXcJnT4KjmFp/VF3T20KjgZbrFR4qlRyugGUFpSpw+h69Buim2HZz0OJAIj1U+yM6QFH9C+P3lMv07YeLv4D7PHNFq26y8O9WrJKUXWuDccgNVv/RXA28nQ+lZTGWqfFGc5GOAo5jtZdLvuW2l8JtT7McqMesWEVK0yqe0OtY4DsjB2NfHKJ9EvFraC01N8I1WhIxUY81t2BRLVMxrpAn7+MQ1G5M/RKFZ+MsdsP9TF2DASr1A2zwV1InXOM/yCEi+b40EhMTG1ym0Fwx8VzuUuw7FurMTF51yfMVqIp+aNCMwnhoTVM3rBa74PonZx+Ozq9H3xqzw1BY0IytunGsAed9u6HISPBKDJ8qs362pnPZg+M0n6DJzarZ5vZOTTJWJ0Y6AzPGyFL9+i8FUKlLESAsX62Nzb9KwDIbC7MZ39OsCWSLdEeov+IPq2d5AGs9EB/kt2jUJtL1AxXuvyji83R/MCNw5FtqdmrPPRsk9SpHPPprYgVxixe8qiT6lJN2DoFmFbroEQb/AC0eBl36w5m/pjph2r3Zzla4NMNzGpT9XRWfkal4aGmWVkIRXshVG7a2To+VNHBQUKyrSsK9+JBvr2/pwRDfW982xTf2ToQeMQN4nEFewTcft+o6VIEo59L5cpd8BRGTZ/GmFsKvY8zFIoke9cgjL5Yb17AY8BqARFgTD3QsyzM4sEtkpCv6fiQkPj2HLVxs2vuuKL8Xsd2xyoHKQXq5FdxX0Gagu+e7jZpNIMDyGMUjHeDUx3Hn2yJus9jrTvGjzAXrMK5ck3sLQTqvFrehtL77BGXyJuLiHe8/Czl6o3sRZ1RNeWepyrnWWEYps95tbwJ5A7af34fsUZBgaNR8MWtqqSEa/AoQ6CM3aYzbwJNBDty/mlSXuM1mCJ1+hk3b+6t0pi8qaNP7O6KOTukekAVZhKYHye1djs6V+106POOdeoYEXFrlkN7O3F66IDuO6M9nQrwc8G9vEdHzQRhn4KnBVKdDkHGu5jhEGQehuOlYOY2WiMaPORrchciqVVTEV2R6XJezq4xn1lX3Q4xIWM+ghtg9MM4F2nm3SdPleQSXISYnd5hmxPIBibdAztMzP87GAJobNRDqj20A3UEzjHrVlnQdFBamEPG+G/trDc7
Content-Type: text/plain; charset="utf-8"
Content-ID: <B6390A48A900E3448A3FFFCACEDAA803@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3815.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 688e790f-8d91-4ef5-6cc0-08dbef7bc00c
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2023 19:04:58.4886 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: U0tCDuJlBYH2/ll4+whgNncsJPunz2I0GZOQt31n0cY3b685CRbHXgVBhLq6B6efr+chYD81nc1vmmKODHmbcA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5653
X-Outbound-SMTP-Client: 72.163.7.165, rcdn-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/lE4F2WmOD8-d-noOCeR4j7-LCjk>
Subject: Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 19:05:07 -0000

Hi all

First off, thanks much for all the comments and for your time.

Trying to answer comments and queries received till now in this email along with reference to the new revision posted here..

Thanks
Srihari

1. Fixed the text in the new revision, regarding voucher handling by MASA.

2. "Unfortunately, the result of the year+ effort to provide a way to
   incrementally extend RFC8366 has failed due to limitations in YANG.
   Under the hood, it ought to be trivial to do in the JSON or CBOR.
   RFC8366bis simply revises the module as a whole, and your extension would
   have to go into 8366bis, if it made sense."
   >>>>SRI_1: If the consensus of the WG after the review of the new version deems it useful to add this text to RFC8366bis, we can surely do that...<<<<

3. " Indeed letting the owner independently set security policies for the owner's own domain sounds useful...If we let the domain owner's security policy settings piggy-back on the Voucher document, so that all security policies are distributed via one signed document, that may be nice and simple but it's less flexible that having policies that the domain owner can determine fully independent from the MASA."
   >>>>SRI_1: Yes. The intent of this proposal is to keep it nice and simple via voucher extensions, but there are also other reasons like licensing and security gates to be opened in the device.  There are updates in the new version to explain this a bit more and also captured some aspects of what you mentioned.  I have also added text in the acknowledgement section to the fact.  In addition, if there is sufficient interest, please consider this as an enthusiastic invite to be co-authors of the future versions of the draft and help with the direction of the same as well.<<<<

 4. " 32 is not enough bits.  Using bits is probably a failure.
   Probably you need an IANA registry of posture definitions, and it probably
   needs to have an integer per item.  There is probably need to have vendor
   extensions, probably by PEN."
   >>>>SRI_1: Yes. Increased it to 64-bit and made some changes to yang as well w.r.t typedef and grouping and also pointed out PEN/IANA aspects<<<<

5. " that's a entire API from Registrar to MASA which you have to design and document."
   >>>>SRI_1: Yes. We have not done that in this version.  We can document this in the next version, as needed <<<<


On 08/06/23, 2:36 PM, "Esko Dijk" <esko.dijk@iotconsultancy.nl <mailto:esko.dijk@iotconsultancy.nl>> wrote:


> I think that there are better ways to do accomplish the configuration, such
> as extending the BRSKI-EST link with new actions.


Indeed letting the owner independently set security policies for the owner's own domain sounds useful. Such policies could be sent by the Registrar over the same TLS / DTLS connection that is created for the BRSKI-EST, or for the standalone EST, protocol. E.g. device gets a policy update every time it gets a renewed LDevID. The policy data can be a voucher-like document, or a JWT, or a CWT, signed by the Domain CA. 


To get the policy data, the BRSKI/EST client could request it using a RESTful request. This has the benefit that we can define it as a building block independent from EST itself, while the underlying security and effort and standards-text of setting up the TLS connection is shared with EST. I'm assuming the protection provided by the TLS connection is useful and wanted in this case.


That said, security policies determined by the vendor (through MASA) could also be useful for some use cases. The vendor could enforce policies on the use of the Pledge for the particular target Domain/customer. E.g. enable some features, disable others. Currently that would be encoded in the Voucher in a vendor-specific way. Question is if there's a need to standardize this format? Or maybe have an informative document showing how to do it is sufficient. 
If we let the domain owner's security policy settings piggy-back on the Voucher document, so that all security policies are distributed via one signed document, that may be nice and simple but it's less flexible that having policies that the domain owner can determine fully independent from the MASA.


Esko




-----Original Message-----
From: Anima <anima-bounces@ietf.org <mailto:anima-bounces@ietf.org>> On Behalf Of Michael Richardson
Sent: Tuesday, May 30, 2023 18:47
To: Srihari Raghavan (srihari) <srihari@cisco.com <mailto:srihari@cisco.com>>; anima@ietf.org <mailto:anima@ietf.org>; jabir Mohammed (jamohamm) <jamohamm@cisco.com <mailto:jamohamm@cisco.com>>; Reda Haddad (rehaddad) <rehaddad@cisco.com <mailto:rehaddad@cisco.com>>; Sandesh Rao (sandeshr) <sandeshr@cisco.com <mailto:sandeshr@cisco.com>>
Subject: Re: [Anima] FW: New Version Notification for draft-mohammed-anima-voucher-security-profile-00.txt




Srihari Raghavan (srihari) <srihari@cisco.com <mailto:srihari@cisco.com>> wrote:
> Agreed that MASA is the signing authority and the draft is meant to
> convey that the owner can influence the choice by way of parameterized
> inputs to the MASA APIs. So, owner can be presented with a 'security
> profile selector' input via the MASA external APIs and when the owner
> provides the PDC and the selector input values, MASA can then go ahead
> and create the voucher with appropriate security profile settings
> (after verification and validation) for the device.


okay, that's a entire API from Registrar to MASA which you have to design and
document. And you mention SZTP, and it doesn't have that link.


I think that there are better ways to do accomplish the configuration, such
as extending the BRSKI-EST link with new actions.


--
Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*

v2.23.0 | Report a Bug | By Email