[Anima] BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
Esko Dijk <esko.dijk@iotconsultancy.nl> Wed, 07 October 2020 10:03 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07DC93A047D; Wed, 7 Oct 2020 03:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2FDehNQF_vk; Wed, 7 Oct 2020 03:03:47 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70103.outbound.protection.outlook.com [40.107.7.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE77E3A07C4; Wed, 7 Oct 2020 03:03:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ghfm2xGWmuC2Wu3xiNOUIGr5LQatA4Kedkz/WKSpmQON4/UHD9jmRsUW6zBSNLrkJVW2wAr/oj4GVygb46pLUbifcdgkf+82hEiYY8hJ+y+RcMxDcLQfQHHzvNvbgqUiD/Vfzd2XxWf0Hw8b7mzks38Xj/5O4xdnsC99MBbuS63b0PZ3A1/8RvXaN8W+AHuftupZBpmaa9nuXSTln7UVpvJuz6bkl7hZBhZoP6pqZQ3yawN3oVLQrYMqIwoFoYsalY11721nXnAmg2WrM5tpCTFTgu0dOuEn0ooqQcjOpFCSq3A6PxgdFXui+ya4fSECQWyy/pyVvOlxBKF5lYy19w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HxgUV0Kl8Wm8LbpP4ubSLiaqPvRIk3CN3htK/y3OYZY=; b=C7feRzVvVyH7jApA9UcK7/tkfkG0o+UE3WZsaSdU22HKrqonUU3iLwsiRgQvYpzbpeAy65xhbVD2sKsZJC0V5w97OYWbiKZLXt1gKmE2GCPlcimyC06vdbXYhMlEISSq1y4KByMZmL1xh08HddZQ0nq3mMABTEyQr/Akx5M2Ngdw87NBAWRTLJCyBn/uLe8wnSdCqO5URX5Oe/a2QgzteHl/de3t3f1aYfOnyAzwdRohDiZ/mtQDcTySFUoRAhKBrGeTqacKS71NyV//E/jJIL9pMylR4MpPVdCZLC4n/bpII9oF3ZNXThcHNKKR6XPkPVSepYwZCQ1HfH2Q+9VXCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HxgUV0Kl8Wm8LbpP4ubSLiaqPvRIk3CN3htK/y3OYZY=; b=nSo2oei5+wYfzKshL0dlF+qa10Gbk7UHzlCJDOoDV0/Xhmsx0dfQNbbKTaTHI9GG40pzAt9zW98++BfUBlFdix67KAlThKV00F/JxpO6kRolXjqmDupJXeqsZxZjIPaNrFrSpMkSUh9bh0lexP0MqdKQzLIaSEuvKmlyJJljfYw=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM8P190MB0963.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1c6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.39; Wed, 7 Oct 2020 10:03:41 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa%5]) with mapi id 15.20.3455.022; Wed, 7 Oct 2020 10:03:41 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>
CC: "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
Thread-Index: Adacjc5732V1vixFQJ+DhRS1iBGdlw==
Date: Wed, 07 Oct 2020 10:03:41 +0000
Message-ID: <AM8P190MB0979B4F5CE106A12E91863A4FD0A0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none; ietf.org; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 894fd519-f965-4941-7d6d-08d86aa84510
x-ms-traffictypediagnostic: AM8P190MB0963:
x-microsoft-antispam-prvs: <AM8P190MB0963AFD67616C6BFD64303F3FD0A0@AM8P190MB0963.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SrY+Y1DYUSSy+bf7CXtM9nakqpkrJ89GWe6NbwZnXk0L/oEmDS9o5oikztIdwFwteB9lgU/isXlL/sd7yvc3vaxWsf3SdY7LpP6oWiC9WufAqJlYq7OZj4tF7EZEcOcZkfLcwLry76M2VhPVZ8EIzhejjIN+Sfqhb3c7XotqVCV+P4h9Tx33BeTNGedzVoyqDgelmm3YWcQz3Xldo6wEi/gk3bJ/q0I70Sqy1VDAAm/7l6FCLCj/EI0zohd6qBllbGYEGDlKaD7F3BrXvhu3UkJ0uKRuCWwz5qUb0ku+K+TL2M0FkAiM7VSEApqUXPf1gsXUlW1Zc2Y8tJiytFwqzQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39830400003)(376002)(346002)(136003)(366004)(396003)(478600001)(71200400001)(54906003)(6506007)(26005)(2906002)(33656002)(52536014)(6916009)(186003)(316002)(83380400001)(44832011)(9686003)(86362001)(7696005)(5660300002)(66946007)(4326008)(8676002)(8936002)(55016002)(66476007)(66556008)(66446008)(64756008)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: scVd1vHttYSY021h7YhCEEnX8GzGGU6KOT3g31I/5Ey6Uf9vI2RZSc/9XOXoCVNahB5hKPQsSYDFM2zpeBlEO1vJhr5GAzjf5Ee5BE9YBwTlmV6ZgQzUZORhmOdNsZqKJ+Ou5sig7dMtEh/oHA7CqsBefKSEpISoxvjKz4JhaItEAm6NXDGUTqgUcDQ7JfIuEX19l6XYIiSBAe1tuUpDnU0q3yeLyvtPKOzMa5kaslcVfRs8joHduF6EnQTWKlpQDkh88FpzNAklhXImLUbVilYNC15nPVM8ungTOlEYfkk4uCyy8hkv9xvxBMvTOmH3i/DAIu4YBSGd1dKqNjSXRtwhuKGGFDBE2XARnYqBYg5cLnERz98GAD+xemvGGPCCJVi/fqBkuZ06K7IuwI+5dPurWUwDM7LTqEuLdEWnLQLa2qsU0cWWnHgwTQ+1mYn5oGS8IC9YM93yz1xskQ6P/aOUG0AlO2GrTqW/eCYTIKvzx+SWmXkmVIaImmtEfe3Od3WsJxVikuNn1h38rrasgZTy1fti0Zs4xw2Tmph274idz6fqZsEgN3CcymF/ibBTiwqJxz7PLQtM+5+1OSm5FFW3kceYVvZbXzcoozF1tSXD72kMzSd3Hp+E/fZsKFNIQ6QKsNGFH4QRH3t00ueiDA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM8P190MB0979B4F5CE106A12E91863A4FD0A0AM8P190MB0979EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 894fd519-f965-4941-7d6d-08d86aa84510
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2020 10:03:41.7837 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kfRtqNRAk899PvZtKUYqEhE4blVuSBVP4DNLq6fiObDGXe3wDxbqJ6Zen68u7FK43b4LuvdxtG7GUVj1VCdRTz92EyA26eG8dtNcOQbWJSQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P190MB0963
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/NxI10dI3urjsWbdH1nCKchVVMPM>
Subject: [Anima] BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 10:03:49 -0000
Hello all,
The following question came up during implementation of BRSKI: when the MASA verifies the prior-signed-voucher-request and its included ‘proximity-registrar-cert’ per Section 5.5.5, does the ‘proximity-registrar-cert’ necessarily need to be included in the Registrar’s CMS signature cert chain?
Because for cases where a Registrar uses different identities (keypairs) for TLS-server and for Voucher-Request signing, the CMS signature cert chain will typically not include the TLS-server cert and hence the ‘proximity-registrar-cert’ will not appear directly in the CMS signature cert chain.
Instead the MASA can verify that the ‘proximity-registrar-cert’ is directly *signed* by one of the CA(s) present in the CMS signature cert chain; thus it can be trusted.
Example:
Domain CA (root)
|
Subordinate CA
| \
Registrar RA Registrar RA
cert 1 cert 2
(TLS server) (signing)
The RA cert 1 is used for the TLS server. The RA cert 2 is used for signing the Voucher-Request to MASA.
The RA cert 1 is seen by the Pledge and present in the ‘proximity-registrar-cert’ field.
MASA sees the following chain in the CMS signature:
Domain CA (root)
|
Subordinate CA
|
Registrar RA cert 2
My interpretation of current BRSKI Section 5.5.5 is that the verification / consistency-check at MASA will now fail. However, another opinion in my team is that it can succeed because MASA can verify that RA cert 1 is signed by ‘Subordinate CA’ and hence can be trusted.
On the other hand, RA cert 1 and RA cert 2 are different entities logically so then the “proximity” assertion of BRSKI would be weakened.
Any opinions on this?
For interoperability, it needs to be clear for the Registrar how the MASA will perform, if this verification is enabled, the verification of Section 5.5.5. This impacts with what identity it can sign Voucher-Requests.
Best regards
Esko Dijk
IoTconsultancy.nl | Email/Teams: esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>