Dear all,
yesterday I've uploaded BRSKI-AE draft version 03, to be briefly presented at
IETF 115.
Mostly due to the recent reviews by Toerless and Michael,
the text has gained quite a bit of clarity and readability.
Here is the log of changes since version 02:
* In response to document shepherd review by Toerless Eckert,
* many editorial improvements and clarifications as suggested, such as
the comparison to plain BRSKI, the description of offline vs. synchronous
message transfer and enrollment, and better differentiation of RA flavors.
* clarify that for transporting certificate enrollment messages between
pledge and registrar, the TLS channel established between these two
(via the join proxy) is used and the enrollment protocol MUST support this.
* clarify that the enrollment protocol chosen between pledge and
registrar
MUST also be used for the upstream enrollment exchange with the PKI.
* extend the description and requirements on how during the certificate
enrollment phase the registrar MAY handle requests by the pledge itself and
otherwise MUST forward them to the PKI and forward responses to the pledge.
* Change "The registrar MAY offer different enrollment protocols" to
"The registrar MUST support at least one certificate enrollment protocol ..."
* In response to review by Michael Richardson,
* slightly improve the structuring of the Message Exchange Section 4.2
and
add some detail on the request/response exchanges for the enrollment phase
* merge the 'Enhancements to the Addressing Scheme' Section 4.3
with the subsequent one: 'Domain Registrar Support of Alternative Enrollment
Protocols'
* add reference to SZTP (RFC 8572)
* extend venue information
* convert output of ASCII-art figures to SVG format
* various small other text improvements as suggested/provided
* Remove the tentative informative instantiation to EST-fullCMC
* Move Eliot Lear from co-author to contributor, add him to the
acknowledgments
* Add explanations for terms such as 'target domain' and 'caPubs'
* Fix minor editorial issues and update some external references
Feedback is very welcome.
Our aim ist to get approval to proceed to WGLC at the meeting on Nov 10.
David
On Mon, 2022-10-24 at 11:25 -0700, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Autonomic Networking Integrated Model and
Approach WG of the IETF.
Title : BRSKI-AE: Alternative Enrollment Protocols in BRSKI
Authors : David von Oheimb
Steffen Fries
Hendrik Brockhaus
Filename : draft-ietf-anima-brski-ae-03.txt
Pages : 38
Date : 2022-10-24
Abstract:
This document enhances Bootstrapping Remote Secure Key Infrastructure
(BRSKI, RFC 8995) to allow employing alternative enrollment
protocols, such as CMP.
Using self-contained signed objects, the origin of enrollment
requests and responses can be authenticated independently of message
transfer. This supports end-to-end security and asynchronous
operation of certificate enrollment and provides flexibility where to
authenticate and authorize certification requests.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/
There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-anima-brski-ae-03
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-brski-ae-03
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
