IETF Logo Mail Archive

[Anima] Discovery of renewal server / draft-eckert-anima-brski-discovery / draft-ietf-anima-brski-ae / draft-ietf-anima-brski-prim

Toerless Eckert <tte@cs.fau.de> Tue, 21 November 2023 15:26 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09639C15109F; Tue, 21 Nov 2023 07:26:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9B0KFLVumt2D; Tue, 21 Nov 2023 07:26:45 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3394DC15155F; Tue, 21 Nov 2023 07:26:38 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4SZSs55KQfznkVg; Tue, 21 Nov 2023 16:26:33 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4SZSs54T7Czkm3S; Tue, 21 Nov 2023 16:26:33 +0100 (CET)
Date: Tue, 21 Nov 2023 16:26:33 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "anima@ietf.org" <anima@ietf.org>
Cc: draft-ietf-anima-brski-ae@ietf.org, draft-ietf-anima-brski-prm@ietf.org
Message-ID: <ZVzMKZzHISsc-Vm3@faui48e.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/sW2MZZLWU2Jyft0fMgFi1x67OB8>
Subject: [Anima] Discovery of renewal server / draft-eckert-anima-brski-discovery / draft-ietf-anima-brski-ae / draft-ietf-anima-brski-prim
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 15:26:47 -0000

Revisiting the constrained BRSKI discovery details, i stumbled across a generic discovery
issue for which i would like to solicit opinions.

Please also add your thoughts about this to:
  https://github.com/anima-wg/brski-discovery/issues/4
  (but discuss here first).

Question: How do we want to deal with certificate renewal/re-keying ?

Do we assume by default that any discovered BRSKI (variation) proxy/registar is
capable to do renewal ? Technically this would not require new REST endpoints with
EST, but i am not sure this is true across all alternative enrollment protocols.
Is renewal working with PRM without changes ? (If so we should write this).

When writing RFC8994, we did consider that not all existing EST servers would
necessarily support BRSKI, and therefore instead of using AN_join_registrar, renewal
was recommend to use SRV.est objective. We did not define an equvalent proxy objective
though, because already enrolled pledges would not need to use a proxy but could
always connect directly to a registrar.

Do we ever need renewal to go through a proxy ? 

Thanks
    Toerless

v2.23.0 | Report a Bug | By Email