IETF Logo Mail Archive

Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09

Toerless Eckert <tte@cs.fau.de> Wed, 21 February 2018 02:38 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94BE91241F3; Tue, 20 Feb 2018 18:38:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.96
X-Spam-Level:
X-Spam-Status: No, score=-3.96 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kp3m01eSH5p2; Tue, 20 Feb 2018 18:38:50 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F64D1204DA; Tue, 20 Feb 2018 18:38:50 -0800 (PST)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 510D758C565; Wed, 21 Feb 2018 03:38:45 +0100 (CET)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 309EEB0DB08; Wed, 21 Feb 2018 03:38:45 +0100 (CET)
Date: Wed, 21 Feb 2018 03:38:45 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, anima@ietf.org
Message-ID: <20180221023844.GD23498@faui40p.informatik.uni-erlangen.de>
References: <20180214010910.GA27823@faui40p.informatik.uni-erlangen.de> <23103.1519174480@obiwan.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <23103.1519174480@obiwan.sandelman.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/xQv4zGdHBybjnP51agdy_dCM4iI>
Subject: Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 02:38:53 -0000

Thanks, Michael
Can't see a commit on github since 6 dyays ago, maybe in different branch ?
Comments for now therefore inline against your email.

On Tue, Feb 20, 2018 at 07:54:40PM -0500, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > Overall:
> 
>     > a) Requirements about EST:
> 
>     > - The introduction says: "Integration with a complete EST enrollment is
>     > optional but trivial"
>     > - 5.8.3 says "The Pledge MUST request a new client certificate".
>     > - 1.4 says "bootstrapped devices have a common trust anchor and a certificate
>     > has optionally been issued from a local PKI
> 
>     > a) The text needs to be made consistent across all places where requirements
>     > are defined. I have in general no strong opinion how "optional" the text should
>     > say EST operations are, BUT consider he following points:
> 
>     > b) We need a complete list of BRSKI requirements for ANI devices, where EST
>     > operation requirements are made stronger. I suggest a separate subsection at an
>     > appropriate place so that "ANI requirements" shows up in the table of contents:
> 
>     > Section X.Y.Z Requirements for ANI devices:
> 
>     > For BRSKI on ANI Devices (ANI = BRSKI + ACP), EST operations is mandator.
>     > The ANI pledge MUST perform
>     > - "CA Certificates Request",
>     > - "CSR Attributes"
>     > - "Client Certificate Request"
>     > - "Enrollment status Telemetry"
>     > The ANI registrar MUST support BRSKI and these EST operations.
>     > All ANI devices SHOULD support the BRSKI proxy function.
> 
> I've done the following:
[...]> 

>  1.1.  Other Bootstrapping Approaches
> 
>     To literally "pull yourself up by the bootstraps" is an impossible
> @@ -233,9 +237,10 @@ Internet-Draft                    BRSKI                    February 2018
>     without external help is also an impossibility.  Today it is commonly
>     accepted that the initial connections between nodes are insecure,
>     until key distribution is complete, or that domain-specific keying
> -   material is pre-provisioned on each new device in a costly and non-
> -   scalable manner.  Existing mechanisms are known as non-secured 'Trust
> -   on First Use' (TOFU) [RFC7435], 'resurrecting duckling'
> +   material (often pre-shared keys, including mechanisms like SIM cards)
> +   is pre-provisioned on each new device in a costly and non-scalable
> +   manner.  Existing mechanisms are known as non-secured 'Trust on First
> +   Use' (TOFU) [RFC7435], 'resurrecting duckling'
>     [Stajano99theresurrecting] or 'pre-staging'.

Nice.

>     Another approach is to try and minimize user actions during
> 
> @@ -358,6 +364,13 @@ Internet-Draft                    BRSKI                    February 2018
>        "Registrar".  The term JRC is used in common with other bootstrap
>        mechanisms.
> 
> +   (Public) Key Infrastructure:  The collection of systems and processes
> +      that sustain the activities of a public key system.  In an ANIMA
> +      Autonomic system, this includes a Domain Certification Authority
> +      (CA), (Join) Registrar which acts as an [RFC5280] Registrar, as
> +      well as appropriate certificate revocation list (CRL) distribution
> +      points and/or OCSP ([RFC6960]) servers.

I had interpreted Max'es response on the mail discussion to indicate that
MASA would also be considered to be part of the PKI. I am fine either way.
Just checking. If as you propose above it's not part of the PKI, a simple
sentence explaining why not would be great.

> +
>     Join Proxy:  A domain entity that helps the Pledge join the domain.
>        A Proxy facilitates communication for devices that find themselves
>        in an environment where they are not provided connectivity until
> 
> +1.5.  Requirements for Autonomic Network Infrastructure (ANI) devices
> 
> +   The BRSKI protocol can be used in a number of environments.  Some of
> +   the flexibility in this document is the result of users out of the
> +   ANI scope.  This section defines the base requirements for ANI
> +   devices.
> 
> +   For devices that intend to become part of an Autonomic Network
> +   Infrastructure (ANI) ([I-D.ietf-anima-reference-model]) that includes
> +   an Autonomic Control Plane
> +   ([I-D.ietf-anima-autonomic-control-plane]), the following actions are
> +   required and MUST be performed by the Pledge:
> 
> +   o  BRSKI: Request Voucher
> 
> +   o  EST: CA Certificates Request
> 
> +   o  EST: CSR Attributes
> 
> +   o  EST: Client Certificate Request
> 
> +   o  BRSKI: Enrollment status Telemetry
> 
> +   The ANI Registrar (JRC) MUST support all the BRSKI and above listed
> +   EST operations.


Can't remember conclusion on redundant terminology re. JRC vs. the other terms
used. Personal preference would be to eliminate JRC as a term, but i'll wait
for the final doc. re. minimum necessary terminology.

> +   All ANI devices SHOULD support the BRSKI proxy function, using
> +   circuit proxies.  Other proxy methods are optional

Overall 1.5 nice.1

> +   , and may be
> +   enabled only if the JRC indicates support for them in it's
> +   announcement.  (See Section 4.4)

IMHO: sentence eend after "optional". Followed by "all proxy functionally
needs to ... be enabled...

Aka: circuit proxy is a no-op too if the proxy does not discover a registrar
supporting it. Not specific to advanced options.


>     > II) This leaves the option that EST to install trust anchor is mandatory, but
>     > enrolment with a certificate is optional (except for ANI case).
> 
>     > Aka: would be good to write a sentence/paragraph exactly outlining what is
>     > permitted to happen after a voucher and if any, what parts of EST are deemed to
>     > be necessary by BRSKI (outside of ANI devices. the requirements for ANI devices
>     > are listed above).
> 
> I think that this should be left to other users.

Rephrase ? Don't understand what this means (especially users). "other authors" ? "other docs" ?

Maybe just: 

BRSKI does not mandate EST client certificate enrolment except for ANI devices.
Considerations for complete solutions using Pledges that only perform Request Voucher
and CA Certificates request, but no EST client certificate enrolment are
outside the scope of this document / subject to future work.


> I am going to push the -11 with these changes, and the ones from last week.

Thanks!

Cheers
    Toerless

> I acknowledge that I still have a bunch of edits from the rest of your message.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima


-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email