Hi Michael,
>> Skimming quickly, I see now the direction to go to a cloud registrar to >> be redirected to a local registrar. I feel compelled to point out that >> this is exactly what SZTP (RFC 8572) does, or at least, supports. >> Actually, as a more general statement, it was originally said that the >> two WG's approaches were different, but they are now becoming more and >> more alike. Well, since SZTP is published already, it's more like the >> ANIMA approach is becoming more like SZTP, albeit seemingly with more >> complexity. > > SZTP does not directly result in the same mutually authenticated TLS (EST) > connection to a Registrar that BRSKI does. This was not an explicit SZTP > goal. It's true that EST isn't used, but there is a mutually-authenticated TLS connection to the SZTP bootstrap server, which is effectively the same as BRSKI's Registrar. > What it could do though, is to provide a source of (secure) bootstrap > configuration in which such a connection could be initiated. In my mind, > I see a fragment of signed JUNOS, IOS (CISCO, not Apple), etc. CLI > configuration that initiates the connection. Such a thing would not be > standardized. > But, I would think that this is exactly the kind of thing that could > be encoded in YANG. Indeed, this what RFC 8572 describes (in section 5.6 and also in C.3, item #3) and the primary motivation behind https://tools.ietf.org/html/draft-ietf-netconf-restconf-client-server <https://tools.ietf.org/html/draft-ietf-netconf-restconf-client-server> and https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server <https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server>. > My understanding of https://tools.ietf.org/html/draft-ietf-netconf-keystore > is that it would provided for Registrar initiated (PUSH) updating of device > certificates, but would not provide a way for a device to initiate (PULL) to > a securely identified EST server. Sounds correct, but clarifying: 1) the current keystore model is all about enabling a controller/NMS application to configure/set/push keys and associated end-entity certificates to a device. 2) there is a suggestion that the keystore model could/should be extended to support ACME (or similar), in which case one might claim that the device had "pulled" an end-entity certificate from a "securely identified server" (dropping the "EST" part). 3) the truststore model (draft-ietf-netconf-trust-anchors) can be used by a controller/NMS application to configure/set/push trust-anchor certs used, e.g., to verify a remote server's end-entity certificate. Cheers, Kent
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
