RE: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

"Owen Friel (ofriel)" <ofriel@cisco.com> Thu, 13 June 2019 12:01 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDD51202C2; Thu, 13 Jun 2019 05:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GEGx01ek; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=GmSq0GGO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 584L-Bc6GxZI; Thu, 13 Jun 2019 05:01:03 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B10291202BC; Thu, 13 Jun 2019 05:01:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4561; q=dns/txt; s=iport; t=1560427262; x=1561636862; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=wZSdDM+50J0isx9GlvsS9/BA8GKOAuhkYQV0tE+JXKg=; b=GEGx01ekEqeza9MwJyBpqBBSlU61Mj6aattjovDOEH2AQ0wXggI+VeQn owBu/af67DPAL8UIkmjByMd19jUFBIqDES67i392oyKW4TDUB0FnVEByN TuTOXDRnMUQsZUD5ztPf23v7epkyzqUTNSlfT7ltlITo99PgqNGV6wGo/ k=;
IronPort-PHdr: 9a23:vnE02BBq/Q0OZCCAyriMUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuK/DwbiE+NM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AXAABAOgJd/4wNJK1dCRsBAQEBAwEBAQcDAQEBgVEGAQEBCwGBPSQFJwNqVSAECyiHXQOEUooPgleJQ41wgS6BJANUCQEBAQwBARgNCAIBAYRAAoJJIzQJDgEDAQEEAQECAQRtHAyFSgEBAQQBARAoBgEBLAsBCwQCAQgRBAEBHwULIQYLFAkIAgQBDQUIGoMBgWoDHQECDJ8HAoE4iF+CIoJ5AQEFgTIBE0GCeQ0Lgg8DBoE0AYtcF4FAP4ERRoJMPoIaRwEBAgEBgTMDKYM6giaMARycdT4JAoIQhkeJGoQGgiaHAo4EjRuHGoFnjVECBAIEBQIOAQEFgU84RIEUcBU7gjgBM4IPN24BAoJIhRSFP3IBgSiMcIJSAQE
X-IronPort-AV: E=Sophos;i="5.63,369,1557187200"; d="scan'208";a="283848440"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Jun 2019 12:01:01 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x5DC10iJ015370 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 13 Jun 2019 12:01:00 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 13 Jun 2019 07:01:00 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 13 Jun 2019 07:00:59 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 13 Jun 2019 07:00:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nM4E8K2rNRg8FbN68MKeIM0lbj3JWGu5biEo4v8cAeM=; b=GmSq0GGO8KgRRTXNYs2gjEGAWOys5UgqPY+eZ/A7/t1xgOlmqR/1s3juHANPsH0uKo4FBiclJUM0qrezvVLqFPhNktCVKR6Y2bo0yGy+ENecxehifE8+h79QMrnNQ+kl2u2PgWMk0OIdnccjAFgu3ii2Ec6U6Mo/c0m9Mos6Z2w=
Received: from DM6PR11MB3385.namprd11.prod.outlook.com (20.176.123.12) by DM6PR11MB3531.namprd11.prod.outlook.com (20.177.220.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.11; Thu, 13 Jun 2019 12:00:58 +0000
Received: from DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::d46b:d11:c52a:f807]) by DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::d46b:d11:c52a:f807%7]) with mapi id 15.20.1987.010; Thu, 13 Jun 2019 12:00:58 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "ietf@ietf.org" <ietf@ietf.org>, IETF-Announce <ietf-announce@ietf.org>
CC: "ibagdona@gmail.com" <ibagdona@gmail.com>, "draft-ietf-anima-bootstrapping-keyinfra@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra@ietf.org>, "anima@ietf.org" <anima@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>
Subject: RE: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
Thread-Topic: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
Thread-Index: AQHVEBsofBre3RTjrUagbjUqNxTB/qaZnrzA
Date: Thu, 13 Jun 2019 12:00:58 +0000
Message-ID: <DM6PR11MB3385616C4FB4DF6F6314B737DBEF0@DM6PR11MB3385.namprd11.prod.outlook.com>
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com>
In-Reply-To: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1250:a17c:7d2f:424f:dab6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6e90b97c-aeb3-4de6-850b-08d6eff6cbf1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB3531;
x-ms-traffictypediagnostic: DM6PR11MB3531:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <DM6PR11MB35316F149B5E518D778E48AEDBEF0@DM6PR11MB3531.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0067A8BA2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(346002)(39860400002)(366004)(396003)(60444003)(13464003)(189003)(199004)(2906002)(76116006)(2501003)(66946007)(81166006)(81156014)(73956011)(102836004)(8676002)(66446008)(64756008)(11346002)(66556008)(446003)(46003)(66476007)(8936002)(33656002)(476003)(71200400001)(71190400001)(486006)(99286004)(6246003)(14444005)(256004)(4326008)(25786009)(186003)(76176011)(6506007)(53546011)(6116002)(53936002)(68736007)(54906003)(316002)(110136005)(7696005)(5660300002)(86362001)(6436002)(55016002)(52536014)(14454004)(478600001)(966005)(9686003)(6306002)(229853002)(7736002)(305945005)(74316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3531; H:DM6PR11MB3385.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ikhi+Oax5bZ+uJFGSMYqHVxI+5c5mcMa+ax72Mewu3toBkGXeQl7yf96V6Y81mdi8/mG8a0DZ0bwfGMrf9VhrqcxxD0lE1g/VVvXcM8tGh7S54+rY7gDzFwrIPMwe36ntmEKMmlhEjowXxSSpzZjgsq5N1XPZT9Ji9Qg3EvN/DPieaSOQMBlYm/BwQqy4m5ytHknp3RNFevVE1Q6SHjdp6UuEQn+jPE7eoEhE3MyTZx4y0YcajDZ10wC3dtwRV6CtG0aO4FwQk5GyQXvbmX91gNJQGjWkCKjkb7NUWVGMqPM8Q0p06dUii5gmve1Z0ZfqGtGjzPQ39/O/tWl8YHDE0D/66pHv/HaLGUcbxY/llheuoRXNQ88GnV1jGbJGKRd94A66n1CpIjIDirzASr+HNhCuZtsEd2soBzhn977CjM=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e90b97c-aeb3-4de6-850b-08d6eff6cbf1
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2019 12:00:58.1540 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ofriel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3531
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.29, xch-aln-019.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/w-WHJtLnozpDDaBiTxK17euprT0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 12:01:06 -0000

Hi,
Late feedback, but its ambiguous in the draft how vendor default Cloud Registrar https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-2.7 and redirects as described in https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-5.6 should interact.

Should the cloud registrar redirect immediately in response to the voucher request, so that the pledge then sends the voucher request via a local domain RA?
Should the cloud registrar issue a voucher, and then the redirect happens during the EST enrol flow?
When redirected, what trust anchor database should the pledge use?

It seems like:
- the cloud registrar should redirect to the local Registrar immediately and not issue a voucher (and this assumes a level of sales channel integration / ownership tracking so that the cloud registrar knows which registrar owns the pledge)
- the pledge should use the implicit trust anchor database for the initial connection to the cloud registrar, but then revert to standard provisional TLS connection for the initial connection to the local Registrar
- the pledge may include a proximity-registrar-cert in the new voucher request to the local Registrar

Doing the redirect immediately facilitates proximity assertions in the voucher request and associated audit logs in the MASA, and allows the MASA to discover the local domain CA from the voucher request signature. Maybe a clarifying sentence in section 2.7 would help?
Regards,
Owen

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of The IESG
Sent: 21 May 2019 22:21
To: IETF-Announce <ietf-announce@ietf.org>
Cc: ibagdona@gmail.com; draft-ietf-anima-bootstrapping-keyinfra@ietf.org; anima@ietf.org; anima-chairs@ietf.org; tte+ietf@cs.fau.de
Subject: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard


The IESG has received a request from the Autonomic Networking Integrated Model and Approach WG (anima) to consider the following document: - 'Bootstrapping Remote Secure Key Infrastructures (BRSKI)'
  <draft-ietf-anima-bootstrapping-keyinfra-20.txt> as Proposed Standard

This is a second Last Call. IoT Directorate review was done after the ANIMA WG Last Call and consensus to request the publication, and that review resulted in substantial changes to the document.  

The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2019-06-04. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting.

Abstract


   This document specifies automated bootstrapping of an Autonomic
   Control Plane.  To do this a remote secure key infrastructure (BRSKI)
   is created using manufacturer installed X.509 certificate, in
   combination with a manufacturer's authorizing service, both online
   and offline.  Bootstrapping a new device can occur using a routable
   address and a cloud service, or using only link-local connectivity,
   or on limited/disconnected networks.  Support for lower security
   models, including devices with minimal identity, is described for
   legacy reasons but not encouraged.  Bootstrapping is complete when
   the cryptographic identity of the new key infrastructure is
   successfully deployed to the device but the established secure
   connection can be used to deploy a locally issued certificate to the
   device as well.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/ballot/

The following IPR Declarations may be related to this I-D:

   https://datatracker.ietf.org/ipr/2816/
   https://datatracker.ietf.org/ipr/3233/
   https://datatracker.ietf.org/ipr/2463/



The document contains these normative downward references.
See RFC 3967 for additional information: 
    rfc8368: Using an Autonomic Control Plane for Stable Connectivity of Network Operations, Administration, and Maintenance (OAM) (Informational - IETF stream)



_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima