IETF Logo Mail Archive

Re: [Iot-onboarding] [Anima] Device Certificate Deployment Automation with ACME using BRSKI

Kent Watsen <kent+ietf@watsen.net> Thu, 08 August 2019 17:02 UTC

Return-Path: <0100016c722e3073-8d7451d2-d6cd-41af-bf6a-98734e3b4fbd-000000@amazonses.watsen.net>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0DAE12006D; Thu, 8 Aug 2019 10:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8CZO7LyHpuh; Thu, 8 Aug 2019 10:02:07 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020C61200C4; Thu, 8 Aug 2019 10:02:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1565283725; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=Oue/clS/LTRKf5aXgzvLBnnLpYHRAIHLhgwt2MDJ5vQ=; b=TwFSCvp4tlZKyepdLobZY6ll+4Fy4OlyT+YC/Ad9Nw2lbbfADLQMURlzHOj9op8Q ljRn3hObwW/YEMpCdgqQzttJpbf7TkckRpSeleA8D/VJq1apEIa72rPHhHjE7h7/Xil h2nGsNnj+chRsG44q/zHLz56Czefggwvu9H9ga68=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016c722e3073-8d7451d2-d6cd-41af-bf6a-98734e3b4fbd-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F008E744-8ACA-4B87-85ED-C14379605C01"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 08 Aug 2019 17:02:05 +0000
In-Reply-To: <4129.1565213078@localhost>
Cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "anima@ietf.org" <anima@ietf.org>, Toerless Eckert <tte@cs.fau.de>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <CAGL6epJRmAvDB4=M6RiQaC93wvy1XDgcbhOmuKUtqmEhBWC72w@mail.gmail.com> <DM6PR11MB3385FD834E826E25160B53AADBD50@DM6PR11MB3385.namprd11.prod.outlook.com> <DM6PR11MB33851A9026943624FC5BD478DBD50@DM6PR11MB3385.namprd11.prod.outlook.com> <0100016c6772e4e8-8ce5598b-2c2a-488e-b7c2-414d9003e46b-000000@email.amazonses.com> <20190806221242.4j7eprxeklup5c3m@faui48f.informatik.uni-erlangen.de> <0100016c6968e7a2-4acac184-768f-4971-8b4f-459165f0aa4f-000000@email.amazonses.com> <4129.1565213078@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.08.08-54.240.8.96
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/LOUAgMLClSxZkROpnoDOh8AonSQ>
Subject: Re: [Iot-onboarding] [Anima] Device Certificate Deployment Automation with ACME using BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 17:02:10 -0000

> Kent Watsen <kent+ietf@watsen.net> wrote:
>> True, but it seems that getting a domain certificate and getting an
>> initial configuration are at least two distinct steps in ANIMA, whereas
>> they're rolled into one step with SZTP.
> 
> I'm missing where SZTP gets a domain certificate in a standard way.
> 
> I totally see how it gets initial configuration though.
> I also see how that initial configuration can be caused to do an enrollment,
> by leveraging some specific, vendor-specific, configuration command.

I think your understanding is complete.  

There isn't a single "domain certificate".   Instead, there are:

1) certificates pledges use during bootstrap process, which may be: a) used to authenticate bootstrap servers.  These certificates are learned via SZTP "redirect information" or b) used to authenticate owner-certificates.  These certificates are learned via the ownership voucher (RFC 8366).

2) certificates pledges use to authenticate subsequent (e.g., management) connections.  These certificates may be configured, e.g., via the keystore and truststore models over NETCONF, RESTCONF, or COAP.

So, rather than a single certificate or a single protocol, there's a collection of each, yet all defined (once all is published) via standards (not vendor-specific, configuration commands).

Makes sense?

Kent

v2.23.0 | Report a Bug | By Email