Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes

"Peinado, German (Nokia - PL/Wroclaw)" <german.peinado@nokia.com> Tue, 23 August 2022 16:54 UTC

Return-Path: <german.peinado@nokia.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E267C159523 for <spasm@ietfa.amsl.com>; Tue, 23 Aug 2022 09:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.475
X-Spam-Level:
X-Spam-Status: No, score=-2.475 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRSip5fjy4bi for <spasm@ietfa.amsl.com>; Tue, 23 Aug 2022 09:54:01 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2130.outbound.protection.outlook.com [40.107.20.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7336EC1522C4 for <spasm@ietf.org>; Tue, 23 Aug 2022 09:53:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=azcb1vV8MQHt2YWUU29ow3AeQHdIZPya5/NBCxjhlSdTbARaPdeqmtxLdr3SkGeFSyoSdKPS3G2FW6Rp7+3P1r7FzUBl0wLP+grbzFDAfyXYcRIiHXHrAu9OQpJpRbSQDaNgeQYIDpZmqmwti/aMSl6H88gLtrnfQqRvV9cC1q7KFT+dEC1MaiX5wY4E6Q9KJHWYYJwEfLoNSbx+fb3vg4MELjCoEgL1qdikfctwQ1C6fqr3xcsn+vFD7QJRA5K6ngtTIwjVmO1PFhqxJurISbBhXsA1BILejrBVV2zM9rjUVVLdPpEs28AtViDMtiXSFKgw6p6zY5so++8TxNmL+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5gLNa5cwDJqAXR5eff+YKV57VFJ55rR4TzwQPUyUGpQ=; b=RSeTkDPFvf8u1ZUIE6wXA3Cz0AyLmZThXCtFvwZWGkAbye8sXvz4ydthC+/LCLJn7tPq9FNRVDcKL6G5A+6HvI+3K9NsrEVuImn4YqvUSl9rH67/5daEkX+ipWY2doujQANiANFvWpj6CxspPbN/h7gdgrdbeA5RpBDVLyWahLNRKAavjgIxqolYrmiEvrYghtrVIDuNZ/DjrE9B3sRXYwCtzvpuRd0mAZnnZKobgKEfolkVKfZiQaRIoTnn/jHpBtSErDDGu/LCQoRQkUuBgynFbCz7VKdjL7XvwmsXn6fO3h0Ngx662UiHoiIEgwATcGfg890G8CSdpKc1ESYjWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5gLNa5cwDJqAXR5eff+YKV57VFJ55rR4TzwQPUyUGpQ=; b=nULN8Y1ZegICNk99AY8JD0WSMImqbxkwHAxEBbIenA2INvKLnpLAwsPR/7Rc8LMrdN5tok9qEbfisRnOepXmEtvP5iJj8rs+jgl53Z0CyHlvAvWo8zlIUoJbOF3X+aVlodk6ML16aM4ICq494UB+qAkPfRvwkbPUtepKBGQJOP0=
Received: from VI1PR07MB6430.eurprd07.prod.outlook.com (2603:10a6:800:13a::7) by AM6PR07MB5781.eurprd07.prod.outlook.com (2603:10a6:20b:9b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.14; Tue, 23 Aug 2022 16:53:35 +0000
Received: from VI1PR07MB6430.eurprd07.prod.outlook.com ([fe80::dcd2:336e:758a:dffd]) by VI1PR07MB6430.eurprd07.prod.outlook.com ([fe80::dcd2:336e:758a:dffd%6]) with mapi id 15.20.5566.014; Tue, 23 Aug 2022 16:53:35 +0000
From: "Peinado, German (Nokia - PL/Wroclaw)" <german.peinado@nokia.com>
To: Russ Housley <housley@vigilsec.com>
CC: tirumal reddy <kondtir@gmail.com>, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
Thread-Index: AQHYrHkfAvPef2ZnSemZ7Rq3QuoaAK2nrP2AgAAGYYCAAAEtUIAAkJcAgAFPi0CAEyJngIAAEGJg
Date: Tue, 23 Aug 2022 16:53:34 +0000
Message-ID: <VI1PR07MB6430B34418388DD1CFA2214193709@VI1PR07MB6430.eurprd07.prod.outlook.com>
References: <DM8PR14MB52376D8E7F6F414563238A18839F9@DM8PR14MB5237.namprd14.prod.outlook.com> <CAFpG3gciz2h+wTCnWy0Uazn+CLSKhWaCRnk6tNtptZriVtvseA@mail.gmail.com> <E1C193C7-F876-4F18-8AD8-8548F4BFA983@vigilsec.com> <CAFpG3geF2jxoMZfeXO9hLM+9z6Ovsn59eBhYYmEez7A=AfF4eA@mail.gmail.com> <2404FB76-F49E-4DBE-A8F9-7655EE210440@vigilsec.com> <CAFpG3gdq-O7-bqXFyLkQ0Rd8YW_G9WZkaii-__rBuA3MFbnPRg@mail.gmail.com> <DU0PR03MB86963D63921A321097313CDE86659@DU0PR03MB8696.eurprd03.prod.outlook.com> <CAFpG3gddN0QaiBiGoQL1Qja_gc14JRz_BncaHXdZLMSRjMUDPQ@mail.gmail.com> <AM0PR07MB64199F0D22F6ECFFAF09B68793659@AM0PR07MB6419.eurprd07.prod.outlook.com> <21CFD228-67C6-407E-A09F-EA17804F4E45@vigilsec.com> <AM0PR07MB6419BE4D292E95D3DC80F1D493649@AM0PR07MB6419.eurprd07.prod.outlook.com> <429F80EE-FCF6-4403-9526-8CF8FED26A04@vigilsec.com>
In-Reply-To: <429F80EE-FCF6-4403-9526-8CF8FED26A04@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2549d50-5faf-4514-0327-08da852804a7
x-ms-traffictypediagnostic: AM6PR07MB5781:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jozdFhR9pmYxA7rRyBH5dMIPvkm67nW2g/8/8P9ynAJ8o1jurzx+jXSD2cNTXFyhe+Vjv4yUZaAvjROZjTWEznPDdIO81gKWXjedf94Ml58rpiRU6NFZUlyGOE3cWTRd8ikK293JCkxtGpWCZuNDel5IIxIM5STqtuyj7RCPIxhP8sbYF8wdDf0aOVDBdw6scRjDLwqCCJYkcy1CB18RIxz/pa9rFc3g6L47TPt+kvdBKSMZMfuMObZcDePQt6xywKUgAdiioWBHVKpKL06cBj9YpHfFBjJ3O2/8OCCKSzcYKlcBwLsaNZWmwmHXmN90+zhoea1bG8K7Y0V1/Eyd0lanwbjv38jN66SBNIFVdqgtdAKS6zpfUigyNMCgqosHqFGHjqMhEdJAEwDk26lmYkl1ajamgDCSzFwtUWpKNKNFsm/5a8t46JqL047W9VnCQjEqQIEUh5AGbM1MwqtOs5DBm4e5074CYC0aQN0gWGsFLg3U0Lk7/LO8kUfL+AZqL6mmoDpceIGIlug7hjVyV0aQ9GKcV7Lqt840fWR4cImqttGGN1SazTJNSzd2I8aAidBxzixMTI1ufWlHURq/k5ZYmrqgJU4Qo+L67zP2cino4FY3BhUyULB2WMAkG0+ceo5BI63TQGd4sSMqril0fy08Mv9PhE7XxUsRNJGnHHy3OC+uukeizjAm4VaEHNl3xZ2kMRPYc/gMnuoSOFW1+uKGo9kNE344+W8mhP0xKvJT2sCimUeXrga+1Qe1v0PDGFIoXsck6Diq4Nlj6MC0RCH0RXf3fQPy+LyE+k5rhkYutyObY4g2s1oGIKI6+VtkSV1EhrjgocHv0ab6KIk1Aw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6430.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39860400002)(396003)(366004)(136003)(376002)(346002)(5660300002)(7696005)(71200400001)(41300700001)(6506007)(478600001)(966005)(83380400001)(186003)(8936002)(26005)(9686003)(52536014)(66574015)(53546011)(2906002)(316002)(55016003)(38100700002)(122000001)(6916009)(54906003)(76116006)(64756008)(8676002)(66946007)(66446008)(4326008)(66556008)(66476007)(82960400001)(166002)(86362001)(38070700005)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5FaqIC8MhuAY07ySrhvFkYcbBxa7/iL8CbFVWZ7kkueKp+47EfJjmDTK4N5QtYH3V9hgtj/zc2R8VtBJOeNkPI7NV17J0meZMCi9MnatDwLOrSBU3gpkPeiFpTHsMf6M/N66MuVTG/OfV2SKa24cUXbuzoLPJGa1n6WdP/wLahkC6cqFxVU/kHhM+orYfPHQQFHIdx85qPz74SpvhMrEeWtPa1agI9N1S0HpK20nikDaqWgTx9AY0K+xWSXG4bhYKHsoz9hIKFow2tAH4EJaJLACaKCCY9ixfPYwp3IxoOZEuqNWbpw5w5NfNoRPqPid0Wz4D6PYjnSmpTX3iqZxXU/OYl6z1I3uFswdZDfIwhTN1kS1J+NXsbDKqNXeqlXFECq19wmtlDAiB2Lwx6zwxux7HleOu0UkuXn1/wkk+O9ZvuoJQVDQr1fO3DfX3GaA1BpoRN/Y1VFAGA5A6QJ0/p6FQYlwg4Qty+sVg52E0hgAzKHRJdJAhVInSnz1qzLvVz1KxNUmxK6eLOVPaiCtoDi+0vgCkO7sW1m9KLmEprpaLKCbIHPJgZbsxnWsoZ4caqEcTYm46K7OBRhqCAY3CqfXIBhc/3hmPqusyZoEHcI7jiptxMlGj9ZWStHyfhU8A0kcJF8HeQN/3gab/uw5MDcDnJtw+WGcWs+yz0DIl9JFW47P4g2WOrLUF7M+7z6zdlhx4RVPuOWvc11Avuy6YpNgjZrxtsMSPX48vu/Tuw0Frn0ZyNp63huVrsXmqxkQmBkjIGUakkBxtGuPDHmeibzZMZs4DmhDYJMlyxxBdxU3Q2RD0d0V7DjMY7nkzbBBylRFSumNv+KyLzwBRIDaXolUfeLuO+QLE3TBc/Sat740cBSJ9m6Q+4Hp4lE13HVfi8ZUg1DE5yz5Unl8n/OQnRGJBZa42iepB9/Gz/yPUVmCBGYoR2p6Df3UbwNfDtUlm7dYms7CFqEjLB2sRf1Y7SLwse4IeA5FN3F56fUhyVZ6RbPhrypVyhiVGIX7mIEwwTyPu143MT93riPs7HpDgBYG65KpdRxL76mnlWk4AUm92+QEMcx2Adp7b74rOe/k+p0OKs/jm+f9qpIwxHu2hmrfrCq1nCnhdQKvS3MSOFWK1oE91jAyhlMDlsmxXRKzztICYh4GEq5mpanCT7e1mqgWA+afaxxiS/3KTs09IQJSZb1JTdJs5aPDXX6F7TRyJYkdT+mded053sugyzq0NITvgqbyZHuzURSNXZ22/CuJMxFti9x37gnkokQupc+y0/IdQe2sGW9TRE7aQ+MeghKgz1J0kUEhGg3GPIQHcKOAori6pwAYE+bRPFAF/T37dPvVzoVcGhDH0uxCkxFM2Am/qZgX49pMWGCfoWRYqYQFo1qpaI1YYIMpoCHFp5mOT6J66bfnHToeWYg5RzrKkibp+AZQcduJYMoCwU5J8T+b2eU4dymHiwLKeC4F521rvRPtVUTTFiOZ32orlyEYgbchOJX2WFVnKiOI7UyDE1StagUp2E5o15ZiaVW4n/rDV1+pY27hfZVk0PsduIJ6CmopHpe6SRe1krX8lI3RFjHlh7sgDsA6caDIueX4ayB5
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB6430B34418388DD1CFA2214193709VI1PR07MB6430eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6430.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b2549d50-5faf-4514-0327-08da852804a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Aug 2022 16:53:34.9274 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gLDdLc6lyCzAi44AyhICxbVcBFVjpO7tk+4iK3W5AhHLye6yISBe5AxpEF0GyQXFsJiZABX9okG1PniFJ8eWg4nmyozBmr3vN6UVkcBTEiY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5781
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/NQ8wIkaUDkPNRYASAnBtX_CieHU>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2022 16:54:04 -0000

Russ:

SA3 meeting is ongoing, and it is an e-meeting. Let's wait until the end of the week when the meeting finishes.

Thanks,
German

From: Russ Housley <housley@vigilsec.com>
Sent: Tuesday, August 23, 2022 5:50 PM
To: Peinado, German (Nokia - PL/Wroclaw) <german.peinado@nokia.com>
Cc: tirumal reddy <kondtir@gmail.com>; Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes

German:

Has the discussion taken place?  If not, how much additional time is needed?

Russ



On Aug 11, 2022, at 7:40 AM, Peinado, German (Nokia - PL/Wroclaw) <german.peinado@nokia.com<mailto:german.peinado@nokia.com>> wrote:

Russ:

Thanks for the feedback.

Regarding my request on letting SA3 to discuss this draft and consequently to postpone the current deadline to the support or opposition to adoption of the draft, does it sound reasonable and beneficial?

Thanks,
German

From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Sent: Wednesday, August 10, 2022 5:37 PM
To: Peinado, German (Nokia - PL/Wroclaw) <german.peinado@nokia.com<mailto:german.peinado@nokia.com>>
Cc: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>; Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com<mailto:Tomas.Gustavsson@keyfactor.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes


German:

Yes, I agree that clear that this extension is expected yo bu used in a PKI that is internal to the 5G provider.

Russ




On Aug 10, 2022, at 3:34 AM, Peinado, German (Nokia - PL/Wroclaw) <german.peinado@nokia.com<mailto:german.peinado@nokia.com>> wrote:

Dear All,

My name is German Peinado, and I work in Nokia as SA3 delegate in 3GPP. As rapporteur of the new SID TR 33.876 in rel-18 this topic caught.

I agree with Tomas in his observation related to publicly trusted WebPKI CAs vs. internal CAs typically used in 3GPP networks. Thus, it would be good to make this assumption explicit in the draft as suggested by Tiru.

The relevant document for the guard related to the usage of vendor certificate is TS 33.310 (NDS;AF). However this guard is not really applicable or valid in SBA scenario for 5G Core Network Functions that are basically virtual network functions. The usage of vendor certificates as trust anchor to establish initial trust with the CA was designed for base stations in LTE times, and adopted in 5G for physical base stations. This is an issue we are currently studying in the TR 33.876.

The overall draft looks quite straightforward, and of course relevant for the 5G Network Functions. A colleague from Ericsson in SA3 is proposing a discussion paper in upcoming SA3 meeting in 22nd -26th of August where this paper is mentioned to address one current format issue. Since this draft addresses a valid topic related to the certs used in 5G network functions as specified in 3GPP, I would kindly ask to this group to give at least one round of discussions in SA3 on this draft in the upcoming SA3 meeting, and consequently to postpone by a few weeks the current deadline (22.08) to voice the support or opposition to adoption of the draft. That way, you would receive feedback on that from SA3.

Does it make sense for the group?

Thanks,
German


From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of tirumal reddy
Sent: Wednesday, August 10, 2022 8:55 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com<mailto:Tomas.Gustavsson@keyfactor.com>>
Cc: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes

On Wed, 10 Aug 2022 at 12:02, Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com<mailto:Tomas.Gustavsson@keyfactor.com>> wrote:
I don't think 3GPP networks will make use of certificate transparency logs. These are internal telco networks and will not use publicly trusted WebPKI CAs for issuing TLS certificates. I don't think publicly trusted CAs could even issue these certificates as it may contain other information than what's allowed by Baseline Requirements, such as internal hostnames/IPs.

Thanks. Please update the draft to say the deployment model uses an internal CA and not a public WebPKI CA.


There are some guards against malicious network functions built into the 3GPP specification, by the usage of vendor certificates for authenticating the network functions the MNO plans to put into it's network.

A pointer to the relevant document will be helpful.

-Tiru


Cheers,
Tomas

________________________________
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Wednesday, August 10, 2022 7:22 AM
To: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Cc: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Call for adoption of draft-housley-lamps-3g-nftypes

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com<mailto:InfoSec@keyfactor.com> with any questions.

Hi Russ,

Please see inline

On Mon, 8 Aug 2022 at 21:01, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Tiru:

1. Yes, this is a good topic to expand the Security Considerations.

2. This seems pretty obvious to me, but I will think about a sentence or two for a more complete explanation.

Thanks. You may want to also discuss the privacy and security implications of using NFType in the certificate extension for RBAC. For example (1) If TLS 1.2 is used by network functions, pervasive monitoring is possible for an attacker to identify the NFTypes visible in the TLS handshake and can potentially target a specific NFType (e.g., subject to DDoS or launch a targeted attack). (3) Misuse of NFType to gain additional privileges and what are the potential remediation techniques ?

Yes, the certificate is plaintext when TLS 1.2 is used, and it it encrypted when TLS 1.3 or IKEv2 is used.

In TLS 1.3 (without encrypted client hello), SNI will not be encrypted and it is possible for an attacker to get the certificate content from certificate transparency logs to identify the NFTypes associated with the FQDN.


I'm not sure what you mean about misuse of the NFType.  Are you talking about the trusted CA putting the wrong NFType in the certificate?

No, trusted CA may not inject a wrong NFType and it can be validated by the network function sending the CSR to the CA.
I meant the NFTypes and FQDN of network functions will be available in the certificate transparency logs. It exposes the internal/external network functions details to anyone on the Internet. It may also be possible for an internal attacker to host a malicious network function and misuse the NFType to gain additional privileges.

Cheers,
-Tiru

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm