Hello all, We just uploaded an updated version of BRSKI-PRM (05). This version addresses the issues raised during several reviews on the anima github, specifically:
- Restructured document to have a distinct section for the object flow and handling and shortened introduction, issue #72 - Added security considerations for using mDNS without a specific product-serial-number, issue #75 - Clarified pledge-status responses are cumulative, issue #73 - Removed agent-sign-cert from trigger data to save bandwidth and remove complexity through options, issue #70 - Changed terminology for LDevID(Reg) certificate to registrar EE certificate, as it does not need to be an LDevID, issue #66 - Added new protected header parameter (created-on) in PER to support freshness validation, issue #63 - Removed reference to CAB Forum as not needed for BRSKI-PRM specifically, issue #65 - Enhanced error codes in section 5.5.1, issue #39, #64 - Enhanced security considerations and privacy considerations, issue #59 - Issue #50 addressed by referring to the utilized enrollment protocol - Issue #47 MASA verification of LDevID(RegAgt) to the same registrar EE certificate domain CA - Reworked terminology of "enrollment object", "certification object", "enrollment request object", etc., issue #27 - Reworked all message representations to align with encoding - Added explanation of MASA requiring domain CA cert in section 5.5.1 and section 5.5.2, issue #36 - Defined new endpoint for pledge bootstrapping status inquiry, issue #35 in section Section 6.4, IANA considerations and section Section 5.3 - Included examples for several objects in section Appendix A including message example sizes, issue #33 - PoP for private key to registrar certificate included as mandatory, issues #32 and #49 - Issue #31, clarified that combined pledge may act as client/server for further (re)enrollment - Issue #42, clarified that Registrar needs to verify the status responses with and ensure that they match the audit log response from the MASA, otherwise it needs drop the pledge and revoke the certificate - Issue #43, clarified that the pledge shall use the create time from the trigger message if the time has not been synchronized, yet. - Several editorial changes and enhancements to increasing readability. It is planned to discuss the latest status during IETF 115 and to determine the next steps. Technically it is stable and implemented as PoC. Best regards Steffen -----Original Message----- From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Montag, 24. Oktober 2022 18:08 To: Michael C. Richardson <mcr+i...@sandelman.ca>; Eliot Lear <l...@cisco.com>; Michael Richardson <mcr+i...@sandelman.ca>; Fries, Steffen (T CST) <steffen.fr...@siemens.com>; Werner, Thomas (T CST SEA-DE) <thomas-wer...@siemens.com> Subject: New Version Notification for draft-ietf-anima-brski-prm-05.txt A new version of I-D, draft-ietf-anima-brski-prm-05.txt has been successfully submitted by Steffen Fries and posted to the IETF repository. Name: draft-ietf-anima-brski-prm Revision: 05 Title: BRSKI with Pledge in Responder Mode (BRSKI-PRM) Document date: 2022-10-24 Group: anima Pages: 86 URL: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-anima-brski-prm-05.txt&data=05%7C01%7Csteffen.fries%40siemens.com%7Cfa1af9d28b494243d26108dab5da2fe5%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638022245956985418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gKBTkm9SA1r4cGbYVXx8m2C3Pl6Pq2bGAbnbSGiKNNQ%3D&reserved=0 Status: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-anima-brski-prm%2F&data=05%7C01%7Csteffen.fries%40siemens.com%7Cfa1af9d28b494243d26108dab5da2fe5%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638022245956985418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yFbYJ48gaQuTZ2ijjpalcFZmDOedu%2Fpb9AzwSMA0RqI%3D&reserved=0 Htmlized: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-anima-brski-prm&data=05%7C01%7Csteffen.fries%40siemens.com%7Cfa1af9d28b494243d26108dab5da2fe5%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638022245956985418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hAn%2BbXrb2ZTU8sk6MlQYq5I%2BOq3aJlkRz9cJ%2FFspD9E%3D&reserved=0 Diff: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-anima-brski-prm-05&data=05%7C01%7Csteffen.fries%40siemens.com%7Cfa1af9d28b494243d26108dab5da2fe5%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638022245956985418%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kxxEe%2F1hpShd7k0Q3U0eeQZpqa%2Br2RsHSpTFQB0vCb8%3D&reserved=0 Abstract: This document defines enhancements to bootstrapping a remote secure key infrastructure (BRSKI, RFC8995) to facilitate bootstrapping in domains featuring no or only time limited connectivity between a pledge and the domain registrar. It specifically targets situations, in which the interaction model changes from a pledge-initiated-mode, as used in BRSKI, to a pledge-responding-mode as described in this document. To support the pledge-responding mode, BRSKI-PRM introduces a new component, the registrar-agent, which facilitates the communication between pledge and registrar during the bootstrapping phase. To establishment the trust relation between pledge and domain registrar, BRSKI-PRM relies on object security rather than transport security. The approach defined here is agnostic with respect to the underlying enrollment protocol which connects the pledge and the domain registrar to the Domain CA. The IETF Secretariat _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima