Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

Michael Richardson <> Mon, 12 August 2019 22:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C582F120996; Mon, 12 Aug 2019 15:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WVaQJBULtyI9; Mon, 12 Aug 2019 15:25:09 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 65085120DA5; Mon, 12 Aug 2019 14:29:14 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id CF73B3818D; Mon, 12 Aug 2019 17:28:26 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id AEAA69A; Mon, 12 Aug 2019 17:29:11 -0400 (EDT)
From: Michael Richardson <>
To: "" <>, Jack Visoky <>
cc: "Randy Armstrong (OPC)" <>, "" <>
In-Reply-To: <>
References: <> <> <> <> <11781.1565189957@localhost> <> <> <4671.1565279232@localhost> <> <> <19592.1565471757@localhost> <> <15583.1565485709@localhost> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 12 Aug 2019 17:29:11 -0400
Message-ID: <17156.1565645351@localhost>
Archived-At: <>
Subject: Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Aug 2019 22:25:13 -0000

Jack Visoky <> wrote:
    >> I think so; there are some details of resale that BRSKI would like to
    >> make out-of-scope for the first document.  Some way, we have to deal
    >> with it, and I would actually like feedback from OPC about the
    >> parameters of different solutions here. 

    > So in this case would the MASA need to be OPC specific, that is, use
    > OPC Security and OPC methods?  Apologies if I'm getting ahead of myself
    > on this conversation.

I don't think that the MASA would be OPC specific.

The Registrar would have to speak the OPC security rather than HTTPS on the
plant side.  The Registrar would still speak HTTPS to the MASA.

This is what we have done in draft-ietf-anima-constrained-voucher:
  it speaks CoAPS (CoAP over DTLS) or OSCORE-EDHOC (CoAP with OSCORE, keyed
  by EDHOC) on the plant side, and HTTPS to the Registrar.

There are (at least) two major ways to build a Registrar.
1) a single monolithic application framework, it receives
   the voucher-request, and then does a synchronous HTTPS request to the MASA.
   (Perhaps doing 100-Continue).

2) The other way is for the pledge-facing part of the Registrar to put it all
   into a database, return 202, and wait for another query.  Asynchronously some
   other part sends requests to the MASA and stores the answers back in the
   database.  Perhaps the only thing connecting the two parts is some
   multi-master database replication...

Case 1 is appropriate up to a certain level of load and complexity.
It's certainly way easier to test!

Case 2 has scaling advantages, some security advantages, and also makes it
way easier to build different plant facing interfaces.

I believe that all implementations are case 1 so far.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]        |   ruby on rails    [