Re: [6tisch] xxx-bootstrap

Michael Richardson Wed, 30 Nov 2016 16:19:17 -0800

Hi, I haven't read the entire thread yet, but I wanted to pull out another
email from a private thread about some ideas I had before I forgot.


This would be the phase 1.  Now that I understand more about EDHOC,
I think that the certificate exchange and EDHOC setup would occur
at the GET /nonce phase.

Peter, if this is what you have in mind, then let's develop one of the
EST/CoAP drafts into saying this.

====

I am thinking about if we can come up with a mechanism that can be driven by
either side, which uses the same protocol and message encodings.
I had been thinking last night that CMS was getting in the way, but I
think that actually that's probably not the case; we are going to use
pkcs7/11 anyway, and if that's really the extent of it, then no big deal.

I'm trying to find a way to merge this into netconf-keystore essentially, and
that document is not really particular about the formats.

I'm looking at draft-ietf-anima-bootstrapping-keyinfra-04 section 5.7,
and EST section 4.

I imagine that one can reverse the process in 6tisch, and we could POST
From the JCE to client /cacerts, etc...

So, if the straight EST process looks like:

    new-node                     registrar
         POST /requestaudittoken-->     [includes nonce]
         <--- 200 OK + audit token-     [section 5.2]

         GET /cacerts ----------->
         <--- domain certificate--     (application/pkcs7-mime,
                                        CMC Simple PKI RESPONSE)
         GET /csrattrs ---------->
         <--- app/csrattrs -------     [ASN as per 7030]

         POST /simpleenroll------>     (PKCS#10 Cert Req)
         <--- LDevID cert---------     (pkcs7)


Then the JCE driven process should instead look like:

    pledge                       JCE
         <--- CoAP GET /nonce-----
         ----- 200 OK, nonce ---->     [could be empty if nonce

         <--- CoAP POST /voucher--     {audit token or ownership voucher}
         ----- 200 OK------------>     [or 4xx or 5xx code! ]

         <--- CoAP POST /cacerts--     [block-transfer]  [maybe not??]
                                       (application/pkcs7-mime,
                                        CMC Simple PKI RESPONSE)
         ----200 OK-------------->

         <--- CoAP POST /csrattrs-     [ASN as per 7030]
         ----200 OK-------------->

         <--- CoAP GET  /csr------
         ----200 OK ---PKCS10 ----     [PKCS#10 Cert Req]

         <--- CoAP POST /cert-----     [PKCS7 Certificate]
         ----200 OK --------------

Except that ideally, the above would be described in YANG with Kent's help
in netconf-keystore.
(Pascal, in our SoW #7, the above protocol would be Deliverable 3, btw)



--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

signature.asc
Description: PGP signature

_______________________________________________
6tisch mailing list
6tisch@ietf.org
https://www.ietf.org/mailman/listinfo/6tisch

Re: [6tisch] xxx-bootstrap

Reply via email to