Re: [Anima] BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 02 November 2020 15:37 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F763A0D34; Mon, 2 Nov 2020 07:37:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q76TyzLs5uCm; Mon, 2 Nov 2020 07:37:17 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130104.outbound.protection.outlook.com [40.107.13.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 796CC3A0A93; Mon, 2 Nov 2020 07:37:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ETUDtE7LLOi7f4WpUJ1Mo8pYNYY1U0Um3U/85dzwjQ2P45LhuiYum6VX15WgjEaY+Dd14fykCV+jai0VSNMrj/HGE5EnN+CHFttJ3xFxGlRiHfPeJ7tVRkn+IfJQRS5d0n+3UcvfV0z1NzJJdkOPmAdNDc8ZTLIIiIrgz9klonb8BBy4aTofDRu/5BI1kcem6EAm0byNZowsd7Qv5R/BCuTncRKsvJrK/v1gR1iWlMc/u1xBkBo39aj28XMrgJJRCNFVpkG7bGDu1ZBLhTbWE5mZjIz6noNqhLXQLFy8CcUOL8O5DNZZawPDkAzgvfHWqY0W4K1eQAU7yxfypwNyhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b+vChwOEjQ1+AtePIoRXS5LqKSPINr8lJV7sO+1jie8=; b=kWIzBzWhPgLee6H3O0GbTN3HgX8HluvrDslpnGXOKmj4MassnkyOBce+ceeMUMB1Ixp+TpiuxL4XmPyWvWA3B+0Yo/D/K3ip2wXw+0rnIsA0rsEznO6oXjcRSimH3nfEGY6uOO9U20FwiZimTIn/y8YF7j5N1UFxAwV1MXvdpItNYWq1W6sNN/djm1l8DhI5iZp9NBkJ3FUUa/OxYen+JrZP37E25x5n66BlU+FtJ0SQni2QxfTSVOUsLwyp0eHMAQfalf2cWaY/A0vLncx2WK29h5ysclUiBJceD7nGHQHh4YckHQhLB1+Uyh86oDchnBSztuB25ojMS+2nkuNyrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b+vChwOEjQ1+AtePIoRXS5LqKSPINr8lJV7sO+1jie8=; b=XE1pHLqUA3YxFD02E8S+eUtUGyOGJBAeKh54GHi3tIl+nNOrHYbBO7dZ/3/TTxiBcD0kBIeuv2+iiEiOgqxGvPU9PNmjE4gLI1b8r2BZdz59JC3ZG5wvwfaVDucWsSlQbzgDToM6NUqmEtRzlhCkQKDMD+gERuTj3Gh114J3Zdk=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM0P190MB0593.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:193::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.27; Mon, 2 Nov 2020 15:37:13 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa%5]) with mapi id 15.20.3499.030; Mon, 2 Nov 2020 15:37:12 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "anima@ietf.org" <anima@ietf.org>
CC: "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
Thread-Index: Adacjc5732V1vixFQJ+DhRS1iBGdlwUnwzvg
Date: Mon, 02 Nov 2020 15:37:12 +0000
Message-ID: <AM8P190MB0979FDBFEB48F2E7C20D84BBFD100@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <AM8P190MB0979B4F5CE106A12E91863A4FD0A0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <AM8P190MB0979B4F5CE106A12E91863A4FD0A0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none; ietf.org; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3103:f000:7d0c:83a1:5e85:4872]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ffdc5a46-6218-4636-8952-08d87f452b41
x-ms-traffictypediagnostic: AM0P190MB0593:
x-microsoft-antispam-prvs: <AM0P190MB0593E8A5B8D175E9DE4675DAFD100@AM0P190MB0593.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XdD9pV4N8I84vjrBptTC+fwgn12aJn/Pxjw9JBTX5589xK7rlHhCt09CaTJxVMp3i/Kk9Lt+5g++PJZZu4KAHBz11rVpU7DoYZkYe7+32mPzty8J3YWD8YLS/Ah/EFeiIqM9pHcS3ZjHjrtin5n5G0uTHlJUoJO4teSS4Mj7ExsVa4Y6R9Op1nXtH2eZujJsg9aJgvaLnaaS5+KZ2WbePKGl+uCeRxMmXiQjuw62mxGlpDDe1YbC37J3OjgYYxrDcFXOOvq1h3IemOiJq4TKW1/BpcahK/c3SVfJkV4jpjfS9e9+r2d1fEboiV5e7OxVM7n2sh7g4b2g/G0TcDm06RiUVgcRTLsTcQc5HxYQfx04Om+o9hf/bwktkc5djjp2Nb2W4nQr1Z7fEsp0H7tXNw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(136003)(366004)(396003)(39830400003)(376002)(346002)(4326008)(7696005)(8676002)(83380400001)(33656002)(53546011)(6506007)(9686003)(166002)(186003)(86362001)(55016002)(5660300002)(71200400001)(316002)(6916009)(66946007)(52536014)(966005)(54906003)(478600001)(8936002)(66446008)(64756008)(66556008)(66476007)(2906002)(76116006)(44832011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JobGDRuCgxFISF/ZjQFXT0xB6mJknsBGTl8y+UYi+KK6o/Gs+Ak8VjLxX1A/n8LSczUXX8XzcX2ZnB6OnuXF1enolI01N8LPLdVSGHls3p3p8cpsvxQ7iTeR7IwLEXBnNeEl1k3zsnSNk64pSQh1PgBJG1rwP8UJV1zR+yMBVwf3vVWocK5SV+cWkJYHE4EsxI6k+Vvdn9YGdRIzXaPIgDAq6xEdkjCMrHV3qv0NUcoTzMYwfJ41DjOaNVwbcTIauxNHzyZ3hnDOF5Adklw7sQEZblGizfAM4JxA9Sbn1VpVsd/kWbAvrzBMYjEtec3RJupMG1ahhqVS0DbREzJMHw8CCPCJFoqnKdzRdbgkREkqjLY3v5iMQ+s1yJQDfuvq3fRW/QO+1VUK+pBDikBEGOV2OInhmMgOcHX0GLAuRY5ZyhWXozR6v37GbYOqZFSBBU0iUkFjT0YvYO0UmVL/2mbf5CAWqyeO825jGMgrxFJ321rUGOm4tMGMSGPRST21xLDBk9+loBEUT1wmF5gRpHLbYMW7epS/lb0iD65kRKMGGOcSbu65t5rNYqBsayQs3Wje7gdrJ+a4tylCRxwcas0ShS48+qutyplQD3w680ZfteDvNusB+CI759wiFLe357e+L/yIZ/Gjhxytt/m4zNHzaxFj++9tLK3F2ajWy3HtQ6MQSsrcrfDizQcHBSo2wSr4GxFIjmADTmewcE1fhQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM8P190MB0979FDBFEB48F2E7C20D84BBFD100AM8P190MB0979EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ffdc5a46-6218-4636-8952-08d87f452b41
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2020 15:37:12.6976 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nbqAbAs7kNYeUVdkGoVO2nXnOGIUGfNpfMNan5r0lQmo5VVRq4aXAgSDyHlJo+BBbUwmXD8DiBfGp86lSBUiEzCp4SHo6HS/r67l9d9vhBU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0593
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Yi5hvqe4p5gjYW3IsvOqSQAZZcI>
Subject: Re: [Anima] BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 15:37:20 -0000
Update: a Github issue is now opened on this topic, see https://github.com/anima-wg/anima-bootstrap/issues/146 I was working on new text for the consistency check of Section 5.5.5, to be able to use different identities for the TLS server (southbound, towards the Pledge(s)) and for the signing of Voucher Requests. I hit upon one issue which is the following text in 5.5.2: "A MASA MAY have a local policy that it only pins the End-Entity certificate." This is the RA certificate that Registrar had used to sign the Voucher Request. If the MASA happens to use the above ‘MAY’ policy, then the Pledge will receive a Voucher with a pinned domain certificate that it cannot use… See the Github issue for more details. So as long as this above rule is in the BRSKI spec, a Registrar is unable to use different identities for its southbound TLS server and for signing of Voucher Requests. Any further opinions on this? Esko PS for reference here was the new proposed text, which unfortunately doesn’t fix everything yet: --OLD The consistency check described above is checking that the 'proximity- registrar-cert' SPKI fingerprint exists within the registrar voucher- request CMS signature's certificate chain. This is substantially the same as the pin validation described in in [RFC7469] section 2.6, paragraph three. --NEW The consistency check described above is checking that at least one of the following two conditions holds: 1) the 'proximity-registrar-cert' SPKI fingerprint exists within the registrar voucher- request CMS signature's certificate chain. This is substantially the same as the pin validation described in in [RFC7469] section 2.6, paragraph three. 2) the 'proximity-registrar-cert' was signed by one of the CA certificates in the registrar voucher-request CMS signature's certificate chain. In other words, a valid chain can be built from the 'proximity-registrar-cert' to the root CA of the CMS signature's chain. From: Anima <anima-bounces@ietf.org> On Behalf Of Esko Dijk Sent: Wednesday, October 7, 2020 12:04 To: anima@ietf.org Cc: draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org; Michael Richardson <mcr+ietf@sandelman.ca> Subject: [Anima] BRSKI: clarification needed on how MASA may check consistency of proximity-registrar-cert Hello all, The following question came up during implementation of BRSKI: when the MASA verifies the prior-signed-voucher-request and its included ‘proximity-registrar-cert’ per Section 5.5.5, does the ‘proximity-registrar-cert’ necessarily need to be included in the Registrar’s CMS signature cert chain? Because for cases where a Registrar uses different identities (keypairs) for TLS-server and for Voucher-Request signing, the CMS signature cert chain will typically not include the TLS-server cert and hence the ‘proximity-registrar-cert’ will not appear directly in the CMS signature cert chain. Instead the MASA can verify that the ‘proximity-registrar-cert’ is directly *signed* by one of the CA(s) present in the CMS signature cert chain; thus it can be trusted. Example: Domain CA (root) | Subordinate CA | \ Registrar RA Registrar RA cert 1 cert 2 (TLS server) (signing) The RA cert 1 is used for the TLS server. The RA cert 2 is used for signing the Voucher-Request to MASA. The RA cert 1 is seen by the Pledge and present in the ‘proximity-registrar-cert’ field. MASA sees the following chain in the CMS signature: Domain CA (root) | Subordinate CA | Registrar RA cert 2 My interpretation of current BRSKI Section 5.5.5 is that the verification / consistency-check at MASA will now fail. However, another opinion in my team is that it can succeed because MASA can verify that RA cert 1 is signed by ‘Subordinate CA’ and hence can be trusted. On the other hand, RA cert 1 and RA cert 2 are different entities logically so then the “proximity” assertion of BRSKI would be weakened. Any opinions on this? For interoperability, it needs to be clear for the Registrar how the MASA will perform, if this verification is enabled, the verification of Section 5.5.5. This impacts with what identity it can sign Voucher-Requests. Best regards Esko Dijk IoTconsultancy.nl | Email/Teams: esko.dijk@iotconsultancy.nl<mailto:esko.dijk@iotconsultancy.nl>