[Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 16 January 2025 08:10 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10019C18DB92 for <anima@ietfa.amsl.com>; Thu, 16 Jan 2025 00:10:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8Ggi_F5NySJ for <anima@ietfa.amsl.com>; Thu, 16 Jan 2025 00:10:08 -0800 (PST)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2104.outbound.protection.outlook.com [40.107.249.104]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D41DC18DB80 for <anima@ietf.org>; Thu, 16 Jan 2025 00:10:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SbeEg0cYiLoUydEySBu7L2l0nArMejo7JyVN2c9MkHfUxJgWYLoX7dEPagI0znH6fTwPbZD5FvYozae6X+gUWFB1H/zUbScXJ3U3+6LcAzzq0B8NfxrVHcb0lDa3xhjax7/XacUBlUcGJrgontckCQ5Uk0uOnewm8YMARQGIg1Bo4Dv7FVA4JYGk3festS5D6hfJ00vjLWiQVpuGnVF+KSweTyqaLuV35wKXnre5MPJ76ReRGbhP7EgcsD4JPp/ownLUvY7u5FszAhz3zClCdqCu7A28L7wK22fuHrVoS6dg/+op13jBdnJYZrmacwC5yQJHcoBHldOtOCOTXtctHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uHpPvX0S8+c3p6wuwNhqnUMNcmLZJSMN27GHwhF/O+E=; b=kUITPe7YYuHfqOCe7wLZ3L4xzpfQJV+0dxWIZ0mcHQQ33if+is+AkLx2z0Avf5VrlVs9hUrddS4Jb182DA8Jsp5Qrk4AyDDvKcs68Euq+lPLeKm7cVWDYBu8+0fHs8fxdmG6a2f+oUimePmav88y1wvagalmwW8SoyQTafqjhkIGa9sRRU3t79qxqVZwzCe/5RcPh+Qb6lOOuJWM2uzGTxtji6yH2TPdJ4/36RtTPayRMFuMGuDj6V+VCBh/jcYyZ0A8WVjPujo3FdW1kxrlBT00Cob79Vc23EcaGMz19N4EXZQle6hEQGuutyLTfgZkj+QyvpQLhXOB0OugEmh0Gw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uHpPvX0S8+c3p6wuwNhqnUMNcmLZJSMN27GHwhF/O+E=; b=onHS1k1seMk/RAupk9ov0l2q/Yy3bdIZCJTwAbWobGQQ3X4EO3i35XTQAaBnqqbd2C+bkb66rwCqoGf3XpWRYqkGmMyTpwA7LiZYQYmAjqjo99HmV2UbRwgciDvxQcLR69n0pRuQgfihm9IoN8FmYNYUdccZA/n22fkJSaPHOew=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by DB8P190MB0715.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8356.14; Thu, 16 Jan 2025 08:10:04 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::5abd:5aa2:7005:acc6%4]) with mapi id 15.20.8335.017; Thu, 16 Jan 2025 08:10:04 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
Thread-Index: Adtmp8DGaGc33rQTQaSJ4oCTIvlRkgAFzH4AAAWoN4AAKaSegAAcFlZA
Date: Thu, 16 Jan 2025 08:10:03 +0000
Message-ID: <DU0P190MB1978E5063FE5D6C9DDF36AF1FD1A2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DU0P190MB197881C7B003306108D9AE43FD182@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <10111.1736884824@obiwan.sandelman.ca> <DU0P190MB197838F0171066F9C3CEB801FD182@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <32750.1736966085@obiwan.sandelman.ca>
In-Reply-To: <32750.1736966085@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|DB8P190MB0715:EE_
x-ms-office365-filtering-correlation-id: aeb7f704-7859-4bf5-b0a4-08dd36052e86
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|10070799003|7055299006|38070700018;
x-microsoft-antispam-message-info: Ca2VuMJH1H4w0e5mIxCjldxb/uCSMLmtgaqo3iZYmjGVbe7CU7XUS8YqDhyceZfyWmvwMYU5xiLucOte/WjP4/pyA4OIc2NcAqDixc2knuFopFreVSG9vmYuJLRvuY9HxgeWjHn4bBoPiVEuJ13jY3mNXH/waL93jvVGsLQvMfDq8mnFv5zz5jRW06BSCRKMPqU3SAVBMAiH3pSPl+aMBFz++9dJ3BY7VRm3GNBEeKjmNYz6/ZHZqNz7Qfjro3QFzScNJYVidMFqFezAy42OEYILYt1ejvUuLeGB67E1yPtzNzuh3K8H8W2ka0jaWdiCH5ggFP7lu0d1GASyedxbd0+cMtx/Tt4wUkqqKQeIQCjRPgNTCpTMJ4f5V30pybGBSoEZ2x//NauPJG17NKHfk1p0qLmZBSuz9LCu4hDzRrg4CPSRSTXGXdGxALdt1bDWhEQoz9HwF+H7aFOJzEiCb6ZKeEn9nAKa2bzA6SS42uR1eRyobzlmM5ROzNHd4OObmubeUrJ0J59C/wNNMgPIHTHXyq/Wrm8P8sQncUQh1oyYjH+ZkNCU4zDpTFUPqQmE9o2shpxNjY59F0YY6SdbcrSpiFyXTZOUjxdtVDJqjUCShgXDvxV/hra6yhXNJUtq89ihUhDwdi7DSo9Dz30KLpJX+pvurGcYn9M+lAJnYcOJill3l1hgc0CMtovGypNLk+M3SmWNzX+sxCfFXveqfwkaKffNuXTinx/efaxAtqMhsO225sOT/yAFGImgjviYAdzSmRO2kylMgH97n6PR9BRHcIzNCBTBDEY3noC3Pt7T/C+QWynmL2NOu8a0tr1fYzjjEDmyeL2Uw71/vAtfA/KUQOCTRAclJnvNGmD2K/qt6/ZQ4RmhSqNkNjhwDK5wjEaJkiRARJKP4Gs9KNaVtqCsLZZmdz5YDNmlrIdIxviS5NfpG52Pp84JD9wZLBAaTK5VApfos/XL5sTQurlnkqEfAd2ONaieY1JyFxdXD7cs1e/GrMyiAXPwLjrFPP3nywXkg17ZRe1pwYtLpG9/+uW7oMWpeHPNRfbvKdHfFVPvdkh8bZZSiEqCCifMfPSkzfXWxqUD1Bs1M27v7iWzg9VkdiI3IMFJAo5dhOzS0mgzygWhfkoLbfF2ceTx5JcgH+/xKAhuRFTuAUy4NnqBsEO9+1BXbYFIFotEkY8RU5Onqo3Pi5YsRz7eJqv/1y7UH5Jtpvpbj+Y6qBzuPUhRvdnlyFhgIMPBzA1qMKOXjLEE9BkfDZWG1PHtsGS1O8DVO995MHli42rTT82nViXJHa6UpaKxRqWxYtH8D54GlymeIQIoZ3R1ItCpc/0w50dEGYNb/E5UrKJPgF0XxVrX3LidxjsAuHxOWrY7rysuiFPPKJmHDrHPYJVWgL7cQaaGI0WwCiPZOuNWX7r+vmXcyqVdLYyckHd6h8dXB4vojoc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(10070799003)(7055299006)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MWMny64xqVja5r/zBMbY5eamAZpuRLm+CBh0PK1XxR43HAexcK6j55zJ4lgyr/CDxKMBKaeuJO1h0nV3wVKm/y/VdLqw2AMF8C4UbX6a0D8Kxa76jVRSghLVvrz37ty/b4IztNTv48+2mBZlG4b0037Jw3NFGLACDS4Wj7uUf54yc+CxWS8fQAYh9DTsYBLfXDZ3p881p4QByHEn3di24/Fac/ka9DuoqY+RweG0Ho2vceFcx4uE4LlgTQ0aPyaot5B3QISvZd4dlnfyZWCuk2vVOhYqOxA+CBNdHAWArtykDkjig1hmR62eiDUx8V/Zq0VwERsL6+lEn2fG+MF6ySQ3g6cAV5+vgrSZBcdNn694wH5AXVjRALHShqGoB1YL0cWGkfqzw+HYkx3m+b1yxvwROxLuczmYsIFF4drq58XJwRLuq7vyeaE18hmh49Uyk4S0cWO/sQLbftl1Qv9LfRygoakVI9cW15+cdbwT8jiUrSZ3EJtcyVX+Z1TQ6XlYOG7QtA86ZlrIPO60SX8oAbIkI/p26Xom1fukr8rt9c5qj3PzR4qI1FNbXgLYeXR26/D7fdEXpOeNtL2bHBv/maDAwVaAVM8TDkgz9LYX+E1GeRS6Rt081As2tsIoB1YsbjNaqjV0JlPEBI/A0WYS4yQ5jwGNtrv9nWxsNLoGKXcFRFgSX2gU1t0SFeExFcQ54Tn5plLojrNCGg22ms1jLu//AlC2JVy9IljmgQJD2L/SOUF0dYYLVQNqjZsfy+bdOjZuPwQkwM+6IOGjHhVNYVpjgqUkyRY6u2+/RU9yX4EYR46Lp1fJaRJQyKCOQ8/PXTeFfRxo3++NWvikJmVM57yg34sjV89vcg8XyNEmqM03m3u0aIbvdEYKAVwMgAs0ImR42BV11f+QHVkWa4JG+m09C35uvJwmq+WfNpdUUG9jqILer/SNOQvpy6Z2YflThyGQKXIL391NSxNBKZxzLcnpMbRGEXmgR01phTNPLwDA8RW+zpcmFC3jMswZi0wMx0GNz0gX+x0mGxxKwRPwgYSNZfD7zZ7bgMZKWeEJSveK0vjIyaxciMzdkZTvbA+6TVAVKjbYL8Ybl0EoOHzE1XRIdEACFGB2Hr8JVjY8jwT+zTcAB2/e70OMl/mlNIbmDXfxDejASStCe4vhtxAxcmnX+yjT2yFloJhurbExPM20LkqehA/9jylpRzJUvEHzS6NJF4+BYdXyeZgpq7LNH/48ANIgabnP7PVU9ScmGwD1+9M6jHeOO2l2g4O0WIjgJmr8SOb6NH/AL9lk/67kZjGHqiZS+o3HEbtpgHKewnVUMkrrESLyp7ysjHnu7SxQJo6pcMsFY/oMOUoQrSB9oTXus0+0M4EIwOViUjiJIh8mh9MFUzd0m5/bKnpWvcEWjjj9DUWV3miIl6OG7MS1Tp3ZwfWI9SojDf7893UrJjz3E2EoO+grFk/K2zg3o/qkJUkNxk2HjxGNwfvb7Ks/wu3TKCJnFB+uk0QspFZD5J9IEMZ8NYH7EUM9nudIK6tQXU4HA1hGPy/8j4hXvXKv0jac/0Wt6hqg9qkD8jZt12GjHBuf/j4MjUT+Xvpzkm1LQaDGwwQnZwE0uHPhGfnW7RXLJI6vXXlkC001OJZa4xx3pPqxT5qn6C28B7MrSVDcsrRRuvPA6p9d0OKyV8ooDw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: aeb7f704-7859-4bf5-b0a4-08dd36052e86
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2025 08:10:03.9405 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wsNtBJFF+pbc7rPpKmbTJMIBx2OwW8k/OodcURynXWJOQIkORivfgIpRNNTDAfM1KqRHYFEFmXot18zB8D+z5uDqwVmmYn6WHLZ3CZXqwEI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8P190MB0715
Message-ID-Hash: JXJCXAGFGYXPD4RDCTYDRIFOKD364534
X-Message-ID-Hash: JXJCXAGFGYXPD4RDCTYDRIFOKD364534
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/wJxG2nTbu4FGGDw9OVQdhDudxgQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>
We've discussed this exact idea in 2022/2023 - it is captured in the issue https://github.com/anima-wg/constrained-voucher/issues/239 . This was marked as future update for cBRSKI, because it would require extending the base BRSKI protocol and its resources. With that resource available, in cBRSKI the Pledge could perform a DTLS handshake while sending only 1 certificate to the Registrar: its IDevID EE certificate. (This reduces the size of the entire onboarding exchange quite a bit.) All the rest in the chain can then be fetched by the Registrar by doing a /crts request to MASA, using the MASA URI provided. The extreme reduction case I mention does have a slight security/privacy disadvantage: the Registrar can't evaluate the cert chain as a whole prior to deciding whether to contact the MASA URI, or not. I.e. the MASA/vendor can potentially harvest more sensitive data about what its customers are trying to do. There's also less extreme scenarios possible of course e.g. where only the root CA is elided in the handshake. > That would keep the size of the subordinate certificates out of the BRSKI-EST. Just to note on this: In cBRSKI, this size is only included once in the handshake traffic. Certificates are not present in the signed PVR - only a signature is there. Esko -----Original Message----- From: Michael Richardson <mcr+ietf@sandelman.ca> Sent: woensdag 15 januari 2025 19:35 To: Esko Dijk <esko.dijk@iotconsultancy.nl>; anima@ietf.org Subject: Re: [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requirements on signing the PVR Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > We have some discussion (to be continued) whether the Registrar can be > expected to be preloaded with all CAs in the chains, or a subset of > only the highest sub-CAs, or only the root CA ? The more the Registrar > already knows, the less the Pledge has to send in its PVR, given that > the MASA would know all its own CAs for sure. I wonder if we should mandate that the MASA be willing to answer a /crts request (on the BRSKI-MASA protocol) which the complete list of all CAs and subordinate CAs. That would keep the size of the subordinate certificates out of the BRSKI-EST. That's important today for cBRSKI, but later on, in a quantum-safe world, it might also matter to (fat)BRSKI. You convinced me on Tuesday that I should ask for adoption of the operational considerations documents already. But the above proposal goes beyond operation *considerations*, right? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Anima] Discussion on BRSKI/cBRSKI/BRSKI-PRM requ… Esko Dijk
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Michael Richardson
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Esko Dijk
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Fries, Steffen
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Esko Dijk
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Fries, Steffen
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Esko Dijk
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Michael Richardson
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Esko Dijk
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Michael Richardson
- [Anima] Re: Discussion on BRSKI/cBRSKI/BRSKI-PRM … Esko Dijk