[Iotops] ACME integrations with BRSKI and the cmcRA EKU

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 04 December 2020 20:33 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 89C433A0FBD; Fri, 4 Dec 2020 12:33:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id R0DleDaZdIc4; Fri, 4 Dec 2020 12:33:09 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF993A0BB1; Fri, 4 Dec 2020 12:33:07 -0800 (PST)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id B87A7389C1; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id 63B-3cV-Dm3g; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca []) by tuna.sandelman.ca (Postfix) with ESMTP id 24E9B389BE; Fri, 4 Dec 2020 15:35:03 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1A5BB1FB; Fri, 4 Dec 2020 15:33:06 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org, acme@ietf.org, iot-onboarding@ietf.org, iotops@ietf.org, lamps@ietf.org
cc: "Max Pritikin (pritikin)" <pritikin@cisco.com>
In-Reply-To: <CY4PR11MB1685A60B58D9CB1269978B5ADBE10@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <5633.1585770340@localhost> <AM5P190MB027524F2D1530746DD48C4DDFDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <13227.1586052088@localhost> <AM5P190MB0275BA7298686DBADD31F0A3FDC20@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <14837.1586479192@localhost> <AM5P190MB027501C1759C042E54C40137FDD40@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CY4PR11MB1685181D4456431F05071D05DBE90@CY4PR11MB1685.namprd11.prod.outlook.com> <23785.1605650162@localhost> <CY4PR11MB1685A60B58D9CB1269978B5ADBE10@CY4PR11MB1685.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 04 Dec 2020 15:33:06 -0500
Message-ID: <26304.1607113986@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/gGnaKgGkBDCILdZ6blaGnsgee6E>
Subject: [Iotops] ACME integrations with BRSKI and the cmcRA EKU
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 20:33:12 -0000

Please excuse the long intro.
Due to the cross-post, I want to make sure that everyone has the right context.

draft-ietf-acme-integrations proposes some best practices on how to use an
ACME certification authority like LetsEncrypt with an onboarding protocol
like BRSKI (draft-ietf-anima-bootstrapping-keyinfra)

BRSKI is based upon RFC7030 -- Enrollment over Secure Transport.
(One of three methods the IETF has, including CMP and now SCEP)
A "burden" of using BRSKI is that there are two (possibly private) PKIs: one
run my the manufacturer, and one run by (or for) the owner.
{ draft-richardson-t2trg-idevid-considerations and
draft-richardson-anima-masa-considerations is about the manufacturer PKI }

BRSKI is essentially the authorized replacement of a device's manufacturer
identity with a local identity.   This protocol (and others like it) are
critical to having true ownership of devices.

The ACME integration document lightens some of the burden of having the
operator run PKI in smaller environments.
It does not remove the necessicity of having some kind of "home base" which
will manage the enrollment.  The converged 6tisch/BRSKI term for this is JRC,
R being for Registrar.

RFC7030 defines the cmcRA EKU.  The Registrar's EE certificate is supposed to
have this bit set.  This is an indication that the Certification Authority
has effectively authorized that Registrar as legitimate.
If not for this bit, then a peer in the same CA could claim to be a
Registrar, and then could (re-)enroll entities into a different CA.

For the Autonomic Control Plane (ACP/ANIMA) use of BRSKI, this would be a
problem, and draft-ietf-anima-autonomic-control-plane section 6.2.5 discusses
this.   The ACP determines where the edges of the domain are by looking for
nodes that share the same CA.  Homenet participants will remember that
determining the perimiter of the (home) domain was a problem.

Now, if a "public" CA is used via ACME, such as LetsEncrypt, then the
edge-of-domain checks become meaningless.
This is likely not a problem for many of the IoT uses of BRSKI that would
benefit from draft-ietf-acme-integrations, as they don't need/want to form an

A Registrar that uses RFC8555 to talk to it's CA could have three different
kinds of anchors:
1) it could use an RFC8555/ACME EE certificate that it obtained for itself.
   In that case, the cmcRA bit is most likely not set.

2) it could have a self-signed EE certificate, where the cmcRA bit could in
   fact be set. {Would it have any real meaning?}

3) it could use a raw-public-key.

The RFC8366 voucher system can cope with of these three things.
BRSKI does not require that the Registrar have a publically validatable EE certificate.
(nor does it forbid it)
Note that MASA can in fact evaluate these things!
The question whether there might be some rules that I haven't thought about.

One thing that occurs to me that a pledge which *can* form an ACP, probably
should *not* if the cmcRA bit is not set.  Or perhaps, the MASA should do
this evaluation, and should a TBD attribute in the voucher.

One thought that I had was whether ACME/8555 uses like envisioned in
draft-friel-acme-subdomains-03 could/should allow the entity requesting
authorization for a subdomain to request an EE certificate for the apex of
that zone with some bit set.  Would some kind of qualified cmcRA EKU make sense?

ofriel> Is this pretty much true for both self-signed and private-CA signed
ofriel> registrar certs? The pinned-domain-cert in the voucher could be EE or
ofriel> CA cert, and in either case it’s the MASA that tells the pledge to
ofriel> trust it. As long as the cert (EE or CA) is added to the trust store
ofriel> of the pledge, you would need different pledge logic to check '(if RA
ofriel> cert == self-signed then ignore cmcRA) else (if RA cert == EE cert
ofriel> then check cmcRA) which seems clunky.

ofriel> And as I believe you cannot get cmcRA from a public CA today, we
ofriel> don’t even have the halfway house of getting the RA EE cert manually
ofriel> from a public CA with the cmcRA EKU set, but automating the bluk
ofriel> pledge certs via ACME.

ofriel> Seems like mixing two sort of orthogonal things - subdomains and cmcRA..

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide