Re: [Anima] BRSKI-AE text proposal: how to signal to a pledge which BRSKI variant(s) with which parameter(s) a registrar supports
"Fries, Steffen" <steffen.fries@siemens.com> Fri, 08 September 2023 14:26 UTC
Return-Path: <steffen.fries@siemens.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E301C15106B; Fri, 8 Sep 2023 07:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUUpGO03TNq2; Fri, 8 Sep 2023 07:26:48 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2054.outbound.protection.outlook.com [40.107.8.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3766C151069; Fri, 8 Sep 2023 07:26:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fu90/oNmuEL/Xg+u1ds902qBcNZAzv6LFqRBfpbmqM/rjHb5s7rjhL7okE9/mGv2Z1/JKRjmrVYcI8kRw9jSKfZTqoCM4EU8VR/undIVL9slQNfFrwt36C3S6mAlmxpxSHxtO6vMlFMbQIVN3zFZZGzCkRMC3dXNOM8s9E3kJYCZ/sihSN7kEVcNYmPB2o0BkiRWpueb71lJ2Sjgb82phFIy1G1C381hqGQA4XSK1zslaUFMo72Vi93aVxlalcwRT4m6TVD5g1HwWTI61gvCdFu2QNkYM3UY4jZ8Pnmu3JxDTN9gKSMtwS2HNx7vHrRvCgiRWWfoqwuNm/3OIcxVVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zQhbfhzaiyJUZ1yIkn63TOR71F5D50GwCjpXLwhJYGM=; b=f2KXy9Ft3J3HwIa8GjnrFvzQg8dW9AqJIDsZRP0S88NjuvAj3F3znMJntq9wGVCpQCcgpBMeheRq9WDVhQZQXaEYiUh6gtmZVUAdjm1F/gweib0YYwMUcq2piXaSdCIe2PfpQEbUCGXQRQg9TIn+u4+WWUkmG1slQ6tcIR83sw8CN/5lqCtDNxhZXBmZvvfDmlVOm38zEHa2ojgct2C96FsNMvyk6Gu7bHgt2ptKf9fA6rvOL4s+LfAM2CvKuH64uQCvY7NNuIVtwqGpS8pyL/LDMr+r0dAw6dqCxQhxdfCpeGYjhTZc73ld6AaYa9FPpWjUAylPDkpbhpm1nclKfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zQhbfhzaiyJUZ1yIkn63TOR71F5D50GwCjpXLwhJYGM=; b=sKBVKW8Ob5WjAyWN0I7+8J9ZxJBBpBMwEoq4s+yPfWxzQBLCAV++RHdRFYljnEP1h3WNJlX4aVnW/3Ql7F4eo3KH/VZJ0A7tffV2qRmy4ZgpLwxDohE5E4xfu2/KSIw9ag2bfGIDvvZpMONurAVZri7XaO74YoK5ACaWUNFtKQv3fXGULR/wHhcpJ2b/E5Kc2uNsqVuEhAtNHrlt1/z28bVUxrIYQEOAiEZCMFjSKVI1hbzx7fcrC5PFDF/H42/5SQz9W4Ef0Qlxds3Vva/Isu1TiwOCH3H1ZmuLPAvSyrNbp2I9w1S/KjUM98hGmEG94Gdg2zb8S2P6/UO4qqSs9g==
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3c6::22) by DUZPR10MB8227.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:4d3::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.30; Fri, 8 Sep 2023 14:26:44 +0000
Received: from DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::2a9:4d06:3992:f4b]) by DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM ([fe80::2a9:4d06:3992:f4b%6]) with mapi id 15.20.6745.035; Fri, 8 Sep 2023 14:26:44 +0000
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: Toerless Eckert <tte@cs.fau.de>, David von Oheimb <it@von-oheimb.de>
CC: draft-ietf-anima-brski-ae <draft-ietf-anima-brski-ae@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Brian E Carpenter <Brian.E.carpenter@gmail.com>, anima <anima@ietf.org>, anima-chairs <anima-chairs@ietf.org>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "pritikin@cisco.com" <pritikin@cisco.com>
Thread-Topic: [Anima] BRSKI-AE text proposal: how to signal to a pledge which BRSKI variant(s) with which parameter(s) a registrar supports
Thread-Index: AQHZ4QEk2tE8ohzGAkCDMA5iz64I3rAOlDyAgAJi6jA=
Date: Fri, 08 Sep 2023 14:26:44 +0000
Message-ID: <DB9PR10MB635418D7454506DB95A40CB9F3EDA@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
References: <ZEAfR3/01oaduCO9@faui48e.informatik.uni-erlangen.de> <2ff32157884c5a4522bec999cfe469610f050151.camel@von-Oheimb.de> <777cb0d7-15bc-5ae5-7561-00fc180da099@von-Oheimb.de> <ZPkoG+SyvJPOozdF@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZPkoG+SyvJPOozdF@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=5c43e89c-bfce-4ec9-af19-9392f0132991; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-09-08T13:58:44Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB6354:EE_|DUZPR10MB8227:EE_
x-ms-office365-filtering-correlation-id: 1536f778-47f3-443f-070d-08dbb077a0b5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /idDVes/R6B10xDU0mCEJHjmNt5tYY70KkjnIm2x8XtlsUqpxVMgPXJBgM/sdEHycKYSywmbfZp5oj16PUn93OJEBamajUlYk3l5r6vK0tJ4kxlJmtwgnB8Eb4vymMO2fEdXh+6QH/mh43Y5KrlgmejpMC0x7jcdDs7Z+emREjvPf0/agilhSDvcPPuPsLyLp8w9KSQ6y9MSpMz8qqJ5aWrMIQ5LygUhZdUOeIaU0cQ1yj85IaJ8690LlGuHCFETSzdo1vX/1QMzTox0LnvTptFk4XYWwqIbKQgi3Rfj8U4B0r+IW30yVvWAvt5t5Soy5PMEezA0QScQoOiVq2wHK9ikJPJK/un2tCpyVEgobecU3CM03azy1zTBd6V8n8FMqm4XE9e1ZBylC1ZNha4iV3HgQpXxh3qZo7ChqwjQwRYIqHdvZ680AXNgM3dNrH8RIS/EcSrO1moB9fTj/CWkWpJ6c/tx+fGtl0DLLnqz7cTITuJDDG5SVVTEu4b6a5FHefJhC4iDpQ8hVjjAKS0jnO0okU+ZYsqeT33E85392rzCBt/XPcYzrfr//IJIRPwNhKiGkRYKjsIBK8Tz3MNJEb5AwieQ2GNuBT+j4Su0Y44=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(376002)(366004)(396003)(346002)(136003)(1800799009)(451199024)(186009)(38070700005)(38100700002)(55016003)(82960400001)(83380400001)(122000001)(30864003)(2906002)(66446008)(110136005)(71200400001)(54906003)(66476007)(64756008)(76116006)(53546011)(66556008)(66946007)(316002)(45080400002)(6506007)(86362001)(7696005)(966005)(9686003)(33656002)(478600001)(26005)(52536014)(4326008)(8676002)(8936002)(5660300002)(41300700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ffjMH0TWs5msl9UU0bvS9VepXbyst58t7/monyNdBz9gKF7BIeHS5pTIhUjJIrnX2P9fACbR2shfR5mKSstB5bYH9OS1UaujHlgz3r2VGenqsJGXXZwoZ9PSvVKQNQW0XIInUOf4KwC8ypt4fNYkm0fN3hthEgdHKKYjW9SHb9FZBNKx9AzFjJQ5/dQz/0M8i3o3znfkNz3Jj64x+IF8Jzr7cUs9wtUq95kkB+tUZTqhPj6V97N8QMJB64Bt5wAS2+VBmQu1FzQ8e9phKnvULA1ciug/bTciEhc0QpNF7P3tbyIz0yxRgPclqQLfEVbFDokSOeq5QfFSQe9ZnpGliMeDp87Nk86oB93QD758Lr0dLJlIg+guAzDelcutFDPOsIQsoM+KG7ShKoF7TTGzGu+Ta/DG8/ks/ClVuF64tL3iq0v23I/+Dj0WEtz4w3HJjYtJc65mO294AVSByrCJ/d4kIRxbdxjbuREE3y39ZHIgRCAU9c/oRxCfIqim0YxiTbtnvF/iR4WyYMsVl/sOzBRqMaB1TfMAL6C2oaaVUb+oh1CAm7kZzxx8Ky1Si9S3hl4jqdAGg3OVpGO0qcww10Ymv27CRjxVxQdr+QKAPJnFv+nnJzUYTnJ8/jYgtNNng7qymMvXyi0X/v9+eCwSXcsrIFTAcxMNPvVawQVHzy1+xU5vlmeh1OCMN5bq8w8WewLGJw/43zKoywiGp0pX2Dea4NCzhHfh9NMOCV2Xoq2+JRWv/HyuDyDQ1gtlWwzRCXWATaXuiHtgVlxK59qa8u0/OGX2syaJNRVqqy8DyBCRrKSq7ocGjKEgg+P3QbVaz+D4nv1Y9qEBkEGvvF172oGvx7ssv6+zrFNNikEdCIwZdMdrBqHQIPhaenuGxIHbzCxA6zFeYcB+XSN1BsfSSjsyD+UvGvSGu9LBOad5xvSTMHT12L648cjPPiXhD1Y898c8OmSre6CacTHDv8Pg4L5wQ+H1kdd4yUXArkYHdCpP3iX6/sq1FYBirAHgrKq8Lj3ZG+5Boa/ljAqXKbuIBz3WO4Mym7gjWOYsyhJ6j4z2X1E5Bgfj2tP4LsJYog01hYXGhVk7miV+jxmOw6VyhYlQHM6AJF9avNJABoWgtt1XKdjx2Q1K+5YA2pFafhaNvrS7hLJyaHpjhgUgLm/L5ApIOE6XNsq/E9qybXDTS4ZwhMZ33b3vGg/D6zBRT1vacaiZOwYRqlHqTy9BHgFRCmJMZ/ic3aBiNEmxxOPG1jZsFyLUdDNlhpDxeMIP/p9MGeHBtD+h1RH6SgDRSVm/w7VzV5v3TuM0q5+1/896rfVp4AJ94qxuSkf9dKITk9r5d5yxW+evZaAYGzErH51VDkBzjZR8+wuCOTjRdjy17DQo7EWZBXRwlnz6byay2S01MlYeSIdlNRo6U0I1PIAO1v36eRlXOB/izgf01FTIjpbFbwRAKdk5D1P/e3rNdQS8g7PMLa/jwUGBzoY7xC4tGij4kvm6k5KL8DtnS5sXIhj5AuF3BfNyaTTmkb/TLh9WQxy4RIvplZVodO0ftwIvXQ5ZiMIdtBCtBtY4y7wlTH6vDy6FvOsR/L9n6uAajzDPe0c0jXl28yYxB0MlR/MUXw==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 1536f778-47f3-443f-070d-08dbb077a0b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2023 14:26:44.6467 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: e012re0JxuDYmpqmVs1sUXZyXTHFawuIEHaC+n7UdWDR8G1g2WKJywHmatTxUXH/2OpU87yb3Ld4i3xJJ3gaCMuni1cHsn4VTDmWUQTydoY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DUZPR10MB8227
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/vlh7r0torDe40RubO0FICBr826g>
Subject: Re: [Anima] BRSKI-AE text proposal: how to signal to a pledge which BRSKI variant(s) with which parameter(s) a registrar supports
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 14:26:52 -0000
Hi Toerless, I put in some further thoughts inline. Best regards Steffen > -----Original Message----- > From: Toerless Eckert <tte@cs.fau.de> > Sent: Thursday, September 7, 2023 3:32 AM > Subject: Re: [Anima] BRSKI-AE text proposal: how to signal to a pledge which > BRSKI variant(s) with which parameter(s) a registrar supports > > Thanks, David > > I have some more fundamental concerns than the discussions that we had this > week and that you tried to sommarize, so let me try to restate the issue in a > way that readers with less context detail can hopefully follow. > > In BRSKI, the overall sequence of events is high level: > 1. Pledge discovers (somehow) BRSKI registrar, which is specified to MUST > support EST. > 2. Pledge connects to registrar, TLS > 2.1 Pledge requests a voucher over the TLS connection. > 2.2 If 2.1 is successful, pledge requests EST enrollment over same TLS > connection > > Now, with BRSKI-AE, some set of pledges may only support some other > enrollment protocol, such as CMP instead of EST. So, the above method stays > the same, except that in 2.2, EST is replaced with e.g.: CMP. > > Now the problem is that for this to work "guaranteed", pledges would need to > be able to discover a Registrar that supports (one of) the same enrollment > protocol(s) as the pledge. > > We have started to work on such discovery solutions across the different > BRSKI extension, including AE, but the authors of BRSKI-AE where trying to > find the best solution how to make this work best in the absence of such a > discovery mechanism. > > A) For once, there is the hope that by having such a "fallback" solution (no > correct discovery of supported enrollment protocol on registrar), that the > reference to a working discovery solution could become informational only as > opposed to normative. > > I am not quite clear about whether or not a reference to a discovery solution > should be normative or information, whether or not we do have some better > or worse fallback. [stf] I think having it optionally would be fine and ensure backward compatibility > Practically speaking, i don't believe that a normative reference does necessarily > help in practical deployments. For example, assume we would specify only a > GRASP discover in such a reference, and then a deployment can not use > GRASP and needs another discovery solution anyhow. Aka: a loose linkage > that is informational could IMHO say "MUST support > _some_/_whatever_/_you_pick_ discovery, such as <grasp-reference>" would > be appropriate in my book, and having e.g.: <grasp-reference> be > informational. But on this point, mileage will vary, so thats a separate question > we should investigate with folks with IESG experience. > > B) The core issue really is: If we assume that we do NOT have a working > discovery, but only RFC8995 BRSKI discovery, then we may persistently learn > about registrars that will NOT support the enrollment protocol required by the > pledge. [stf] One assumption we always had was that the registrar in the infrastructure is the more capable device, meaning that a registrar that supports BRSKI-AE would also support BRSKI contrary to a pledge, which we would assume only supports one of the options. I know, this does not help with old registrars, which get contacted by BRSI-AE pledges. > Lets say the example is that a domain has two registrars, one with EST, one > with CMP, and the discovery mechanism from rfc8995 can not help to > distinguish, and now, the most important issue that we need to tackle is that > all RFC8995 compliant pledges could persistently discover the CMP registrar > first before the EST registrar, because for example the existing discovery > mechanisms persistent ordering rules of responses. > > These RFC8995 pledges are a bigger pain that BRSKI-AE/CMP pledges, because > currently the brski-ae draft does not claim to update RFC8995, so we can not > assume that any useful text we write into brski-ae will be honored by those > RFC8995 pledges. [stf] I understood the update was deliberately removed but is intended to be reintroduced as "extend" based on the draft you referred to from Mirja (https://datatracker.ietf.org/doc/draft-kuehlewind-rswg-updates-tag/) > > So, if we want to be 100% sure that the deployment of an additional BRSKI- > AE/CMP registrar will not negatively impact any existing RFC8995 pledges, we > would have to use completely incompatible discovery parameters, so legacy > pledges will never discover the new BRSKI-AE/CMP registrar. For example > using in DNS a new service name 'brski2-registrar'/brski2-proxy or the like. [stf] again, if we assume the (likely) existence of a single registrar featuring both approaches BRSKI and BRSKI-AE it is not a problem. Also, for the AE pledges, if the error handling is enhanced in section 4.2.3 (https://www.ietf.org/archive/id/draft-ietf-anima-brski-ae-05.html#name-pledge-registrar-ra-ca-cert) to consider the case were there will be a timeout (no response) or an error response resulting in the deletion of the voucher on the pledge site would cover several cases. Also for the registrar, this type of enhanced error handling is possible, allowing the registrar to update the (local) state of the pledge with respect to the onboarding. > > Given how i think we do not have crucial production deployments of BRSKI > that we would need to protect in this way, i think we do not need to do this, > because it's always ugly to leave trash of first-gen work around, especially in > registries. Instead, we may rather want to document in brski-ae these risks > after we've worked through the cases, and maybe also use the tool of > updating RFC8995 with BRSKI-AEonce we agree on the solution we like (and > see that we get easier solutions with fixing up BRSKI requirments). > > So, i have a hard time to extract from rfc8995 the likely worst-case common > behavior of an RFC8995 pledge in case of a failure. > > E.g.: Lets assume we use the voucher extension approach, so an improved > 'BRSKI-AE' > pledge's voucher request will contain the list of supported enrollment > protocols, and in converse, a BRSKI-AE registrar can deduce that a voucher > request comes from a non-BRSKI-AE (EST-only) pledge. What error code > should it return to such a pledge ? > > Or would the registar better return a 30x error code to directly redirect the > pledge to the EST registrar. IMHO: If we think that we can improve the > likelyhood that RFC8995-only pledges can overcome issues in the presence of > new BRSKI-AE registrars by such a redirect, then i think we should add a > "SHOULD be able to redirect RFC8995 pledges to a known/discovered > RFC8995 registrar". [stf] both approaches are possible from my understanding, but need some rethinking, as the redirect would have an influence the provisional accept state handling on the pledge. > > In addition: I am still a fan of new pledges trying to figure out what the > registrar can do - like we can do in CoAP. But i'll have to ask around if/how this > would be feasible with existing IETEF work. [stf] Yes. We had that discussion already regarding the endpoint discovery, which was explained to not work with http. Unfortunately. > > Cheers > Toerless > > On Wed, Sep 06, 2023 at 10:31:36PM +0200, David von Oheimb wrote: > > Dear ANIMA WG, > > > > as mentioned in the below email and in the status report at IETF 117, > > the BRSKI-AE draft would be ready for AD review, except that after end > > of WGLC, a rather general open issue with all upcoming BRSKI variants > > has been brought up by Toerless, namely how to signal to the pledge > > the capabilities of the registrar, i.e, which BRSKI variant(s) it > > supports with which parameter(s). > > > > After some forth and back, as far as the BRSKI-AE draft is concerned, > > it should be sufficient to extend its currently very brief section: > > > > > *4.2.1.<https://eur01.safelinks.protection.outlook.com/?url=https%3A > > > %2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-anima-brski- > ae% > > > 23section- > 4.2.1&data=05%7C01%7Csteffen.fries%40siemens.com%7Cd0d214a > > > > a621a4787777d08dbaf424411%7C38ae3bcd95794fd4addab42e1495d55a > %7C1%7C0 > > > > %7C638296471376550045%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 > wLjAwMDAiLC > > > > JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s > data=b > > > > k4n5GU2XhEWMnniZ1lOQfSm7ItCXm3jZ2A6k%2BpsGyE%3D&reserved=0>P > ledge > > > - Registrar Discovery > > > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fd > > > atatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-anima-brski-ae%23name- > > > pledge-registrar- > discovery&data=05%7C01%7Csteffen.fries%40siemens.co > > > > m%7Cd0d214aa621a4787777d08dbaf424411%7C38ae3bcd95794fd4adda > b42e1495d > > > > 55a%7C1%7C0%7C638296471376550045%7CUnknown%7CTWFpbGZsb3d > 8eyJWIjoiMC4 > > > > wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000% > 7C%7C > > > > %7C&sdata=fjZEhnYa2x2qziIEtw24QxfrlKFkO5tnoeAeuhHR%2F1s%3D&reser > ved= > > > 0>* The discovery is done as specified in [RFC8995 > > > > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > w.rfc- > editor.org%2Finfo%2Frfc8995&data=05%7C01%7Csteffen.fries%40siemens.c > om%7Cd0d214aa621a4787777d08dbaf424411%7C38ae3bcd95794fd4add > ab42e1495d55a%7C1%7C0%7C638296471376550045%7CUnknown%7CT > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3%2B8jio8N8g1%2BKhWyn > 07n3JoUcAq0wXu0sx%2Fk4WmwwXA%3D&reserved=0>]. > > > > with some guidance, such as the following text: > > > > > The pledge discovers the registrar basically as specified in > > > [RFC8995 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > w.rfc- > editor.org%2Finfo%2Frfc8995&data=05%7C01%7Csteffen.fries%40siemens.c > om%7Cd0d214aa621a4787777d08dbaf424411%7C38ae3bcd95794fd4add > ab42e1495d55a%7C1%7C0%7C638296471376550045%7CUnknown%7CT > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3%2B8jio8N8g1%2BKhWyn > 07n3JoUcAq0wXu0sx%2Fk4WmwwXA%3D&reserved=0>]. > > > In an engineered environment, the pledge may simply assume that the > > > discovered registrar supports the BRSKI-AE variant of BRSKI with the > > > certificate enrolment protocol it wants to use. > > > > > > Note: In case the protocol is not supported by the registrar, this > > > would be detected only after the pledge sent its certificate > > > enrolment request, on which it would receive an error (likely at > > > HTTP level). > > > This late detection might be avoided in several ways. > > > The registrar might be able to determine by inspecting the IdevID > > > used by the pledge in the voucher request which enrolment protocol > > > the pledge is going to use and reject the voucher request if it does > > > not support this protocol. > > > The pledge could also include in its voucher request an explicit > > > indication which enrolment protocol it is going to use, such that > > > the registrar can safely reject the request if it does not support > > > this protocol. This may be achieved by a simple optional extension > > > of the voucher request structure with a key-value pair, where > > > absence implies "EST" as the default protocol, and currently the > > > only other defined value would be "CMP". > > > > > > As a more general solution, the discovery mechanism by BRSKI may be > > > extended to provide beforehand to the pledge explicit information on > > > the capabilities of the registrar, such as the certificate enrolment > > > protocol(s) it supports. > > > This needs to be specified a separate document; at the time of > > > writing this specification, it is being done in [TDB informative > > > reference toBRSKI-discovery > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fanima-wg%2Fbrski-discovery%2Fblob%2Fmain%2Fdraft-ietf- > anima-brski- > discovery.md&data=05%7C01%7Csteffen.fries%40siemens.com%7Cd0d214a > a621a4787777d08dbaf424411%7C38ae3bcd95794fd4addab42e1495d55a > %7C1%7C0%7C638296471381705308%7CUnknown%7CTWFpbGZsb3d8ey > JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D > %7C3000%7C%7C%7C&sdata=Z1hiCOg3VRgyKYaUlfWs0%2BGTxr4e%2BBOr > XPpBNH98yR0%3D&reserved=0>]. > > > > > This topic, including the current state of the proposal, is meanwhile > > being handled at > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithu > b.com%2Fanima-wg%2Fanima-brski- > ae%2Fissues%2F32&data=05%7C01%7Csteffen.fries%40siemens.com%7Cd0 > d214aa621a4787777d08dbaf424411%7C38ae3bcd95794fd4addab42e149 > 5d55a%7C1%7C0%7C638296471381705308%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn > 0%3D%7C3000%7C%7C%7C&sdata=hfoOtQotYuRvAmiRhiB3IlM1SuEeWoc% > 2BT63DWInzO1Q%3D&reserved=0. > > If you have any thoughts to share on it, I ask you to let us know by > > email or by commenting on that page. > > In particular, in case you have objections, please raise them to the > > draft authors by the end of next week. > > > > Regards, > > > > David > > > > > > On 02.05.23 16:56, David von Oheimb wrote: > > > Dear Brian, Toerless, Michael, et al., > > > > > > thank you > > > > > > * Brian for your comment during the WGLC, > > > * Toerless for your further quick shepherd review thereafter, and > > > * Michael for your response on the latter on how to reference EST, > > > > > > > > > all quoted below. > > > > > > I've meanwhile prepared an intermediate version of the draft that is > > > not yet officially submitted to IETF, i.e., a preview of version 05, > > > available at > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgi > > > thub.com%2Fanima-wg%2Fanima-brski- > ae&data=05%7C01%7Csteffen.fries%40 > > > > siemens.com%7Cd0d214aa621a4787777d08dbaf424411%7C38ae3bcd957 > 94fd4add > > > > ab42e1495d55a%7C1%7C0%7C638296471381705308%7CUnknown%7CT > WFpbGZsb3d8e > > > > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > D%7C > > > > 3000%7C%7C%7C&sdata=WpInfwc%2BquC8CMyGy1KzTCcVebMFyN6BzoSX > zPPTCmw%3D > > > &reserved=0 > > > > > > The change log so far is: > > > > > > * Remove entries from the terminology section that should be clear > > > from BRSKI > > > * Tweak use of the terms IDevID and LDevID and replace PKI RA/CA by > > > RA/CA > > > * Add the abbreviation 'LwCMP' for Lightweight CMP to the > > > terminology section > > > * State clearly in Section 5.1 that LwCMP is mandatory when using CMP > > > * Change URL of BRSKI-AE-overview graphics to slide on IETF 116 > > > meeting material > > > > > > > > > The first two items were suggested internally by Steffen, while the > > > remaining ones address the below points by Toerless and Brian. > > > > > > Regarding the reference to EST, the authors discussed this and came > > > to the conclusion that we better keep the reference to EST [RFC > > > 7030] as /informative/ because we do not really depend on its > > > contents since the EST instance of BRSKI-AE has effectively been > > > removed from the draft (and just remain as a theoretical option). > > > The only "feature" that stems from EST that we take over in > > > BRSKI-AE, namely the endpoint naming scheme, is already covered by > > > the reference to BRSKI [RFC 8995], such that having BRSKI as a > > > /normative/ reference fully covers this. > > > OTOH, the references to CMP are clearly /normative/ for the case > > > that BRSKI-AE is instantiated to CMP, which we have made more > > > explicit in the upcoming version as stated in the above change log. > > > > > > Thus we believe that we have covered all open points, and since the > > > IPR poll has been finished as well, the draft would be ready for > > > being submitted and for AD review, > > > but: > > > > > > On Thu, 2023-04-27 at 11:02 +0000, Fries, Steffen wrote: > > > To: anima@ietf.org <anima@ietf.org> > > > Subject: [Anima] Design Team Meeting discussion (April 25) on > > > BRSKI-PRM discovery with cross relation to BRSKI-AE > > > > > > > Independent of the final solution picked, as BRSKI-AE is also > > > > enhancing the functionality of a BRSKI registrar by supporting > > > > alternative enrollment protocols, the same approach is to be > > > > intended for BRSKI-AE as well. Therefore, we will wait with the > > > > submission of an updated BRSKI-AE draft until the discussion has > > > > ended. > > > > > > So we are holding back the draft until this has been sorted out, > > > most likely resulting in a small paragraph to be added to BRSKI-AE. > > > > > > If there is any further comment or suggestion for improval, please > > > let us (the authors) know. > > > > > > Best, > > > David > > > > > -- > --- > tte@cs.fau.de
- [Anima] WGLC for draft-ietf-anima-brski-ae-04, en… Sheng JIANG
- Re: [Anima] WGLC for draft-ietf-anima-brski-ae-04… Brian E Carpenter
- Re: [Anima] WGLC for draft-ietf-anima-brski-ae-04… Toerless Eckert
- Re: [Anima] WGLC for draft-ietf-anima-brski-ae-04… Sheng Jiang
- [Anima] Result//Re: WGLC for draft-ietf-anima-brs… Sheng Jiang
- Re: [Anima] Result//Re: WGLC for draft-ietf-anima… Toerless Eckert
- Re: [Anima] Result//Re: WGLC for draft-ietf-anima… Michael Richardson
- Re: [Anima] Result//Re: WGLC for draft-ietf-anima… Toerless Eckert
- Re: [Anima] Result//Re: WGLC for draft-ietf-anima… David von Oheimb
- [Anima] BRSKI-AE text proposal: how to signal to … David von Oheimb
- Re: [Anima] BRSKI-AE text proposal: how to signal… Toerless Eckert
- Re: [Anima] BRSKI-AE text proposal: how to signal… Fries, Steffen
- Re: [Anima] BRSKI-AE text proposal: how to signal… Esko Dijk