Hello Michael, Looking at text in 5.6.2 of BRSKI:
The 'pinned-domain-cert' is not a complete distribution of the [RFC7030] section 4.1.3 CA Certificate Response, which is an additional justification for the recommendation to proceed with EST key management operations. Once a full CA Certificate Response is obtained it is more authoritative for the domain than the limited 'pinned-domain-cert' response. Which basically says that the Domain CA cert (that is present as 'pinned-domain-cert') is a sort of partial response to the CA Certificates Response of EST. So, the Domain CA cert must be included in the full CA Certificate Response. Suppose the full response does not contain Domain CA cert. If the Pledge receives the full response and - as stated in above text - replaces the limited response (with Domain CA) with the more authoritative full response (without Domain CA cert) then it would have to discard its Domain CA cert! That's not wanted in this case. So from this I would conclude that Domain CA cert needs to be in the (full) CA Certificates Response of EST. Another angle to consider is the following: by design, the pinned-domain-cert is in BRSKI a Domain CA cert (i.e. it must be a CA). Why would any CA certificate not be included in the list of CA certificates, that is given by the CA Certificates Response? Third, in Section 5.9.1.: The pledge SHOULD request the full EST Distribution of CA Certificates message. See RFC7030, section 4.1. This ensures that the pledge has the complete set of current CA certificates beyond the pinned-domain-cert This suggests that pinned-domain-cert is part of the complete set of current CA certificates. RFC 7030 is not fully clear to me regarding our question - there are requirements on what should be included in the message; let's assume that the EST server certificate is a subordinate CA; then the RFC states in 4.1.3: if the EST CA is a subordinate CA, then all the appropriate subordinate CA certificates necessary to build a chain to the root EST CA are included in the response. It is unclear if the EST CA's own certificate must be included or not in order to build the chain. In other words if the chain is X (subordinate CA) -> Y (subordinate CA) -> Z (root CA) then does it include only Y / Z or all of X / Y / Z ? Still, overall it would be strange to exclude Domain CA, as it is part of the full set of CA certificates, and because the "full response" would replace the single pinned Domain CA cert as indicated in BRSKI. Best regards Esko -----Original Message----- From: Anima <anima-boun...@ietf.org> On Behalf Of Michael Richardson Sent: Monday, March 23, 2020 20:25 To: M. Ranganathan <mra...@gmail.com>; iot-onboard...@ietf.org Cc: anima@ietf.org Subject: Re: [Anima] [Iot-onboarding] EST CACerts and Pinned Domain Certificate M. Ranganathan <mra...@gmail.com> wrote: > Consider an integrated BRSKI-EST server. The pledge bootstraps and gets the > pinned domain certificate. Then the pledge queries EST for the ca-certs. Is > it correct to require that the pinned domain cert must be present in the > CACerts collection returned by the EST server when the pledge does a > cacerts query (but can include additional certificates) ? No, I don't think that the specific cert needs to be in the cacert set. 1) It makes sense that a trust anchor(s) returned ought to validate the pinned domain cert. This is because a certificate renewal operation needs to connect to the EST server correctly. Obviously, in a very degenerate case, there is only the one owner certificate, and it is used for everything. section 3.3 of draft-richardson-anima-registrar-considerations suggests that, and I include the text at the bottom. 2) The pinned-domain cert is validated by the pledge using the voucher. It does not need to be validatable via the cacerts for BRSKI-EST to work, provided that the TLS connection is never broken. (If the TLS connection is broken, then the enrollment should restart. We considered many ways around this, but I think in the end, we decided not to do this. HTTP/1.1+ persistent connections or die) === 3.3. Home Network Home networks and small offices that use residential class equipment are the most challenging situation. The three-tier PKI architecture is not justified because the ability to keep the root CA offline has no operational value. The home network registrar should be initialized with a single key pair used as the certificate authority. Secret splitting is useful in order to save the generated key with a few neighbours. It is recommended that the entire PKI system database (including CA private key) be encrypted with a symmetric key and the results made available regularly for download to a variety of devices. The symmetric key is split among the neighbours. The most difficult part of the Home Network PKI and Registrar is where to locate it. Generally it should be located on a device that is fully owned by the home user. This is sometimes the Home Router, but in a lot of situations the Home Router is the ISP's CPE router. If the home has a Network Attached Storage (NAS) system, then running it there is probably better. A compromise for CPE devices owned by the ISP that can run containers is for the Registrar to be located on detachable storage that is inserted into the CPE. The detachable storage is owned by the home owner, and can be removed from the CPE device if it is replaced. More experience will be necessary in order to determine if this is a workable solution. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima