[Anima] ACME integrations with BRSKI and cmcRA bit
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 10 April 2020 00:39 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FD173A17D7; Thu, 9 Apr 2020 17:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hz1PZOGlLhHD; Thu, 9 Apr 2020 17:39:55 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6C643A17D9; Thu, 9 Apr 2020 17:39:54 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 16FF63897F; Thu, 9 Apr 2020 20:38:15 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 175121002; Thu, 9 Apr 2020 20:39:52 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, Owen Friel <ofriel@cisco.com>, "anima@ietf.org" <anima@ietf.org>, acme@ietf.org, spasm@ietf.org
In-Reply-To: <AM5P190MB0275BA7298686DBADD31F0A3FDC20@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <5633.1585770340@localhost> <AM5P190MB027524F2D1530746DD48C4DDFDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <13227.1586052088@localhost> <AM5P190MB0275BA7298686DBADD31F0A3FDC20@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 09 Apr 2020 20:39:52 -0400
Message-ID: <14837.1586479192@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/rLEbQFKDvNiVLmXB4mdEWkMzRlk>
Subject: [Anima] ACME integrations with BRSKI and cmcRA bit
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 00:39:57 -0000
Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > Currently BRSKI Section 5.5.4 has this text: doc> The MASA MUST verify that the registrar voucher-request is signed by a registrar > If the Registrar would use a non-RA certificate e.g. ACME (LE) standard > EE certificate, then it seems that it cannot get anything from MASA...? > And BRSKI would not work? I agree that there are potential issues here. 1) I think that the MASA may skip that check for recognized registrars, so that the ACME integration work can work. This would be a local configuration. 2) It may be that draft-ietf-acme-integrations and/or draft-friel-acme-subdomains may need to specify a way to ask for cmcRA to be set within ACME, when using ACME when doing the pre-authorization for "domain.com" cf: NOTE: Pre-Authorization of "domain.com" is complete The ACME spec does support authorizations for domains, and maybe that would be the best way to do this. This also supports the concept that the cmcRA bit ought to apply to all RA operations (CMP and well as EST), as proposed in LAMPS. I think that we should perhaps plan a design team meeting/BOF around this discussion. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Benjamin Kaduk's Discuss on draft-ietf-an… Benjamin Kaduk via Datatracker
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Brian E Carpenter
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Eliot Lear
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Max Pritikin (pritikin)
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- [Anima] ACME integrations with BRSKI and cmcRA bit Michael Richardson
- Re: [Anima] ACME integrations with BRSKI and cmcR… Esko Dijk
- [Anima] ACME integrations with BRSKI and the cmcR… Michael Richardson
- Re: [Anima] ACME integrations with BRSKI and the … Esko Dijk
- Re: [Anima] [Acme] ACME integrations with BRSKI a… Deb Cooley
- Re: [Anima] [Acme] ACME integrations with BRSKI a… Michael Richardson