Hi, based on the discussion during the ANIMA session this week, we would like to discuss some open issues related to BRSKI-AE. They are also available under https://github.com/anima-wg/anima-brski-async-enroll/issues
Issue #5: Trust relation between pledge(-callee) and registrar-agent (use case 2 in the draft) The approach in draft -01 describes the trust between the pledge(-callee) and registrar-agent relation based on a PSK, which is used in a TLS connection establishment as kind of proximity assertion. The PSK may be provided using a QR code on the pledge(-callee). Intention was to address potential DoS attacks on the pledge. After further discussion, the actual target for a potential DoS is most likely the registrar and not the pledge(-callee). The pledge is also assumed to be not in operation and providing services at this point in time. As discussed in the ANIMA WG meeting, it is proposed now to use plain HTTP for communication between pledge(-callee) and registrar-agent. The registrar-agent can also provide data to the pledge(-callee) to be included in the pledge voucher-request, this can be verified by the registrar and by the MASA. The provided data relates to the registrar certificate, which may be included in the pledge voucher-request as new leaf "agent-provided-registrar-certificate". The registrar-agent supplies the pledge voucher-request to the registrar. The registrar performs acceptance checks for pledge bootstrapping in its domain based on IDevID and maybe additional pledge voucher-request payload data as in BRSKI. After registrar and MASA performed the verification of the voucher-request successfully, MASA creates a voucher to be returned to the pledge. If the pledge voucher-request contained a registrar certificate marked as "agent-provided-registrar-certificate", existing voucher assertions "verified" or "logged" could be used, but not "proximity". May be a more direct indication of agent proximity would be to define a new assertion like "agent-proximity". Any thoughts on the approach? Best regards Steffen -- Steffen Fries Siemens AG -- Steffen Fries Siemens AG T RDA CST Otto-Hahn-Ring 6 81739 Muenchen, Germany Tel.: +49 89 780-522928 Fax: +49 89 636-48000 mailto:[email protected] www.siemens.com Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive Officer; Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
