Hello all,
I just uploaded a new version of BRSKI-PRM. It contains the following changes
to the last version:
Here is the list of contained changes:
* Issue #15 lead to the inclusion of an option for an additional
signature of the registrar on the voucher received from the MASA before
forwarding to the registrar-agent to support verification of POP of the
registrars private key in section Section 5.1.4.2 and Section 5.1.4.3.
* Based on issue #11, a new endpoint was defined for the registrar to
enable delivery of the wrapped enrollment request from the pledge (in contrast
to plain PKCS#10 in simple enroll).
* Decision on issue #8 to not provide an additional signature on the
enrollment-response object by the registrar. As the enrollment response will
only contain the generic LDevID EE certificate. This credential builds the base
for further configuration outside the initial enrollment.
* Decision on issue #7 to not support multiple CSRs during the
bootstrapping, as based on the generic LDevID EE certificate the pledge may
enroll for further certificates.
* Closed open issue #5 regarding verification of ietf-ztp-types usage as
verified via a proof-of-concept in section {#exchanges_uc2_1}.
* Housekeeping: Removed already addressed open issues stated in the draft
directly.
* Reworked text in from introduction to section pledge-responder-mode
* Fixed "serial-number" encoding in PVR/RVR
* Added prior-signed-voucher-request in the parameter description of the
registrar-voucher-request in Section 5.1.4.2.
* Note added in Section 5.1.4.2 if sub-CAs are used, that the
corresponding information is to be provided to the MASA.
* Inclusion of limitation section (pledge sleeps and needs to be waken
up. Pledge is awake but registrar-agent is not available) (Issue #10).
* Assertion-type aligned with voucher in RFC8366bis, deleted related open
issues. (Issue #4)
* Included table for endpoints in Section 5.1.2 for better readability.
* Included registrar authorization check for registrar-agent during TLS
handshake in section Section 5.1.4.2. Also enhanced Figure 10 with the
authorization step on TLS level.
* Enhanced description of registrar authorization check for
registrar-agent based on the agent-signed-data in section Section 5.1.4.2.
Also enhanced figure Figure 10 with the authorization step on
pledge-voucher-request level.
* Changed agent-signed-cert to an array to allow for providing further
certificate information like the issuing CA cert for the LDevID(RegAgt) EE
certificate in case the registrar and the registrar-agent have different
issuing CAs in Figure 10 (issue #12). This also required changes in the YANG
module in Section 6.1.2
* Addressed YANG warning (issue #1)
* Inclusion of examples for a trigger to create a pledge-voucher-request
and an enrollment-request.
We will work further on aligning the draft with the JWS voucher draft for the
change in the JSON serialization. This will be included in the next update.
Best regards
Steffen
-----Original Message-----
From: Anima <[email protected]> On Behalf Of [email protected]
Sent: Freitag, 11. Februar 2022 16:45
To: [email protected]
Cc: [email protected]
Subject: [Anima] I-D Action: draft-ietf-anima-brski-prm-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Autonomic Networking Integrated Model and
Approach WG of the IETF.
Title : BRSKI with Pledge in Responder Mode (BRSKI-PRM)
Authors : Steffen Fries
Thomas Werner
Eliot Lear
Michael C. Richardson
Filename : draft-ietf-anima-brski-prm-01.txt
Pages : 54
Date : 2022-02-11
Abstract:
This document defines enhancements to bootstrapping a remote secure
key infrastructure (BRSKI, [RFC8995]) to facilitate bootstrapping in
domains featuring no or only timely limited connectivity between a
pledge and the domain registrar. It specifically targets situations,
in which the interaction model changes from a pledge-initiator-mode,
as used in BRSKI, to a pledge-responder-mode as described in this
document. To support both, BRSKI-PRM introduces a new registrar-
agent component, which facilitates the communication between pledge
and registrar during the bootstrapping phase. For the establishment
of a trust relation between pledge and domain registrar, BRSKI-PRM
relies on the exchange of authenticated self-contained objects
(signature-wrapped objects). The defined approach is agnostic
regarding the utilized enrollment protocol, deployed by the domain
registrar to communicate with the Domain CA.
The IETF datatracker status page for this draft is:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-anima-brski-prm%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7C24d059ba5bdd4c26f3d408d9ed758e4c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637801912594675327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=a5Vclrvgqr1gUa9VnHywCPHhItX5a7GgcO5a5ryMelQ%3D&reserved=0
There is also an htmlized version available at:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-anima-brski-prm-01&data=04%7C01%7Csteffen.fries%40siemens.com%7C24d059ba5bdd4c26f3d408d9ed758e4c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637801912594675327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6%2FexYXtfUhQGz5WF2K9RjCvhWuFoaWsV53LBCwdPAwE%3D&reserved=0
A diff from the previous version is available at:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-anima-brski-prm-01&data=04%7C01%7Csteffen.fries%40siemens.com%7C24d059ba5bdd4c26f3d408d9ed758e4c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637801912594675327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zHLki4ne%2FsMbOUBcZ0E2RLhE%2FNDgb6yO4kfy8gEh0jE%3D&reserved=0
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
Anima mailing list
[email protected]
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fanima&data=04%7C01%7Csteffen.fries%40siemens.com%7C24d059ba5bdd4c26f3d408d9ed758e4c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637801912594675327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GVmvwkC6TpJ72vqo5TBEEJJyezZRnMEB8hGnhEX24Go%3D&reserved=0
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
