Dear all, yesterday I've uploaded BRSKI-AE draft version 03, to be briefly presented at IETF 115. Mostly due to the recent reviews by Toerless and Michael, the text has gained quite a bit of clarity and readability.
Here is the log of changes since version 02: * In response to document shepherd review by Toerless Eckert, * many editorial improvements and clarifications as suggested, such as the comparison to plain BRSKI, the description of offline vs. synchronous message transfer and enrollment, and better differentiation of RA flavors. * clarify that for transporting certificate enrollment messages between pledge and registrar, the TLS channel established between these two (via the join proxy) is used and the enrollment protocol MUST support this. * clarify that the enrollment protocol chosen between pledge and registrar MUST also be used for the upstream enrollment exchange with the PKI. * extend the description and requirements on how during the certificate enrollment phase the registrar MAY handle requests by the pledge itself and otherwise MUST forward them to the PKI and forward responses to the pledge. * Change "The registrar MAY offer different enrollment protocols" to "The registrar MUST support at least one certificate enrollment protocol ..." * In response to review by Michael Richardson, * slightly improve the structuring of the Message Exchange Section 4.2 and add some detail on the request/response exchanges for the enrollment phase * merge the 'Enhancements to the Addressing Scheme' Section 4.3 with the subsequent one: 'Domain Registrar Support of Alternative Enrollment Protocols' * add reference to SZTP (RFC 8572) * extend venue information * convert output of ASCII-art figures to SVG format * various small other text improvements as suggested/provided * Remove the tentative informative instantiation to EST-fullCMC * Move Eliot Lear from co-author to contributor, add him to the acknowledgments * Add explanations for terms such as 'target domain' and 'caPubs' * Fix minor editorial issues and update some external references Feedback is very welcome. Our aim ist to get approval to proceed to WGLC at the meeting on Nov 10. David On Mon, 2022-10-24 at 11:25 -0700, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Autonomic Networking Integrated Model and Approach WG of the IETF. Title : BRSKI-AE: Alternative Enrollment Protocols in BRSKI Authors : David von Oheimb Steffen Fries Hendrik Brockhaus Filename : draft-ietf-anima-brski-ae-03.txt Pages : 38 Date : 2022-10-24 Abstract: This document enhances Bootstrapping Remote Secure Key Infrastructure (BRSKI, RFC 8995) to allow employing alternative enrollment protocols, such as CMP. Using self-contained signed objects, the origin of enrollment requests and responses can be authenticated independently of message transfer. This supports end-to-end security and asynchronous operation of certificate enrollment and provides flexibility where to authenticate and authorize certification requests. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-anima-brski-ae-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-brski-ae-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima