IETF Logo Mail Archive

Re: [Iot-onboarding] [Anima] Device Certificate Deployment Automation with ACME using BRSKI

Kent Watsen <kent+ietf@watsen.net> Tue, 06 August 2019 15:01 UTC

Return-Path: <0100016c6772e4e8-8ce5598b-2c2a-488e-b7c2-414d9003e46b-000000@amazonses.watsen.net>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EC1812019B; Tue, 6 Aug 2019 08:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLJf-LyJo56z; Tue, 6 Aug 2019 08:01:20 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143AB12018A; Tue, 6 Aug 2019 08:01:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1565103678; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=10RPUjtxgY/Jx9PmgQE0WMM0xMAnbX5UNPbYvNcONno=; b=Q9FB6YAakSEXaJ1Th8u2rF+ijo+9DpV1v8EMHMBRxfrDsEGFRmWSqYRmNqTZ2jQi GbO1iCDNT2dLzXK2U7U8qZ9WcIypn0EKRZ0oZoLCfUOyL112ZQbYkdK6y6DB2+YQk0g 1tDJRBNwT5JJiP4VO7QpvtEhkESXq/VIIHn5Xy5w=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016c6772e4e8-8ce5598b-2c2a-488e-b7c2-414d9003e46b-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2D5531B2-9AD8-4829-8137-2C9730C89108"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 06 Aug 2019 15:01:18 +0000
In-Reply-To: <DM6PR11MB33851A9026943624FC5BD478DBD50@DM6PR11MB3385.namprd11.prod.outlook.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "anima@ietf.org" <anima@ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
References: <CAGL6epJRmAvDB4=M6RiQaC93wvy1XDgcbhOmuKUtqmEhBWC72w@mail.gmail.com> <DM6PR11MB3385FD834E826E25160B53AADBD50@DM6PR11MB3385.namprd11.prod.outlook.com> <DM6PR11MB33851A9026943624FC5BD478DBD50@DM6PR11MB3385.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.08.06-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/50MNU8_cNeujNHmlgCkNi8WfzAc>
Subject: Re: [Iot-onboarding] [Anima] Device Certificate Deployment Automation with ACME using BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 15:01:22 -0000

Skimming quickly, I see now the direction to go to a cloud registrar to be redirected to a local registrar.  I feel compelled to point out that this is exactly what SZTP (RFC 8572) does, or at least, supports.  Actually, as a more general statement, it was originally said that the two WG's approaches were different, but they are now becoming more and more alike.  Well, since SZTP is published already, it's more like the ANIMA approach is becoming more like SZTP, albeit seemingly with more complexity.

Regarding ACME integration during bootstrap, I think the basic desire is to configure a device to obtain a certificate via ACME, configuration which so happens to be provided at the time of the bootstrap event, but could also happen at anytime thereafter.   Support for such configuration should be added to https://tools.ietf.org/html/draft-ietf-netconf-keystore <https://tools.ietf.org/html/draft-ietf-netconf-keystore>.   

Kent



> On Aug 6, 2019, at 10:37 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> 
> FYI, Its up on github now:
>  
> https://github.com/upros/brski-cloud <https://github.com/upros/brski-cloud>
>  
>  
> From: Anima <anima-bounces@ietf.org <mailto:anima-bounces@ietf.org>> On Behalf Of Owen Friel (ofriel)
> Sent: 06 August 2019 14:05
> To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com <mailto:rifaat.ietf@gmail.com>>; anima@ietf.org <mailto:anima@ietf.org>; iot-onboarding@ietf.org <mailto:iot-onboarding@ietf.org>
> Subject: Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI
>  
> Hi guys,
>  
> After the meeting and from corridor conversations with Toerless, I had actually already started on such a draft.
>  
> What I have started so far is attached. Its not on a public repo yet, but will put it there. You are already named on it Rifaat, happy to add you too Michael and you can help figure out some of the open redirect options outlined in it J
>  
> My high level thoughts on this were to keep the ACME specifics out of the draft, and use the draft to define the cloud RA behaviour, and the pledge behaviour when interacting with the cloud RA, and the various cert, CA, TLS, redirect, etc. details. The fact that the RA (whether cloud or local) *may* use ACME to talk to the CA is transparent to the pledge.
>  
> I was thinking that the ACME specifics could be covered in a different draft based on mergingdraft-yusef-acme-3rd-party-device-attestation and draft-friel-acme-integrations, but leave the BRSKI clarifications/specifics in this one.
>  
> Thoughts?
> Owen
>  
>  
>  
>  
> From: Iot-onboarding <iot-onboarding-bounces@ietf.org <mailto:iot-onboarding-bounces@ietf.org>> On Behalf Of Rifaat Shekh-Yusef
> Sent: 02 August 2019 19:09
> To: anima@ietf.org <mailto:anima@ietf.org>; iot-onboarding@ietf.org <mailto:iot-onboarding@ietf.org>
> Subject: [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI
>  
> All,
>  
> During the last IETF meeting in Montreal we had a side meeting to discuss the 
> deployment automation of ACME issued certificates to devices, and the potential 
> use of the BRSKI mechanism to help with this. It was clear from the discussion 
> that BRSKI can be used to help address this use case, and that further discussion is 
> needed to define the needed enhancements to BRSKI.
> 
> The current BRSKI mechanism only briefly discusses the Cloud Registrar option in 
> section 2.7, which could be used to help address this use case.
> 
> Michael Richardson and I had another meeting over lunch yesterday to further 
> discuss this and we decided to work on a new draft to describe the issue and 
> define a solution.
> 
> Because of vacations and other commitments, we will try to publish the first 
> version of the draft early October.
> 
> Regards,
>  Rifaat & Michael  
> _______________________________________________
> Anima mailing list
> Anima@ietf.org <mailto:Anima@ietf.org>
> https://www.ietf.org/mailman/listinfo/anima <https://www.ietf.org/mailman/listinfo/anima>

v2.23.0 | Report a Bug | By Email