Hello, Just as an information, we submitted the initial draft for discussion regarding the asynchronous enrollment. It discusses a solution in which the Domain registrar has no nor temporary limited connectivity to a backend for interaction with a PKI (and potentially the MASA). I asked for a slot in the agenda to discuss the draft during the next IETF meeting.
Best regards Steffen -----Original Message----- From: [email protected] <[email protected]> Sent: Montag, 11. März 2019 10:52 To: Eliot Lear <[email protected]>; Fries, Steffen (CT RDA ITS) <[email protected]>; Brockhaus, Hendrik (CT RDA ITS SEA-DE) <[email protected]> Subject: New Version Notification for draft-fries-anima-brski-async-enroll-00.txt A new version of I-D, draft-fries-anima-brski-async-enroll-00.txt has been successfully submitted by Steffen Fries and posted to the IETF repository. Name: draft-fries-anima-brski-async-enroll Revision: 00 Title: Support of asynchronous Enrollment in BRSKI Document date: 2019-03-11 Group: Individual Submission Pages: 18 URL: https://www.ietf.org/internet-drafts/draft-fries-anima-brski-async-enroll-00.txt Status: https://datatracker.ietf.org/doc/draft-fries-anima-brski-async-enroll/ Htmlized: https://tools.ietf.org/html/draft-fries-anima-brski-async-enroll-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-fries-anima-brski-async-enroll Abstract: This document discusses the enhancement of automated bootstrapping of a remote secure key infrastructure (BRSKI) to operate in domains featuring no or only timely limited connectivity to backend services offering enrollment functionality like a Public Key Infrastructure (PKI). In the context of deploying new devices the design of BRSKI allows for online (synchronous object exchange) and offline interactions (asynchronous object exchange) with a manufacturer's authorization service. It utilizes a self-contained voucher to transport the domain credentials as a signed object to establish an initial trust between the pledge and the deployment domain. The currently supported enrollment protocol for request and distribution of deployment domain specific device certificates provides only limited support for asynchronous PKI interactions. This memo motivates support of self-contained objects also for certificate management by using an abstract notation to allow off-site operation of PKI services, with only limited connectivity to the pledge deployment domain. This addresses specifically scenarios, in which the deployment domain of a pledge does not perform the final authorization of a certification request and rather delegates this decision to an operator backend. The goal is to enable the usage of existing and potentially new PKI protocols supporting self- containment for certificate management. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
