Hi all,
I'd like to bring your attention to the following Individual IETF draft and invite you to review the draft. I believe this draft best fits under the auspices of the ANIMA WG. It is welcome to give feedback or make comments. The high level summary is as follows: ============================== 1. This document describes a lightweight certificateless enrollment protocol in BRSKI for constrained IoT devices. 2. A credential based on public keys is designed to replace the domain certificate used in BRSKI. 3. An authentication centre (AC) replaced the certification authority (CA) is used to issue the credential to the pledge. 4. A new mutual authentication protocol is designed for the authentication between two pledges by the credentials. More details are available in the ID text. Name: draft-yan-anima-brski-cle Revision: 00 Title: BRSKI-CLE: A Certificateless Enrollment protocol in BRSKI Document date: 2023-07-10 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/archive/id/draft-yan-anima-brski-cle-00.txt Status: https://datatracker.ietf.org/doc/draft-yan-anima-brski-cle/ Html: https://www.ietf.org/archive/id/draft-yan-anima-brski-cle-00.html Htmlized: https://datatracker.ietf.org/doc/html/draft-yan-anima-brski-cle There are some comments from Michael Richardson. Thank you for your comments. ------ On 11. Jul 2023, Michael Richardson <[email protected]> wrote: >Yanlei\(Ray\) <[email protected]> wrote: > > I would like to ask for the a time slot for my new individual draft. > > Topic/Title: BRSKI-CLE: A Certificateless Enrollment protocol in BRSKI > >Thank you for your document. I look forward to your slides for further >explanation. > >1. It seems that you've missed much of the Raw Public Key support that is a >key part of constrained-BRSKI. The Raw Public Key is used by the voucher before the "enroll" state as defined in constrained-BRSKI. The BRSKI-CLE is designed for the "enroll" state after the "imprint" state. +------v-------+ | (4) Imprint | +------+-------+ | send Voucher Status Telemetry +------v-------+ | (5) Enroll | +------+-------+ Thus, BRSKI-CLE is not involved in the vouchers. This draft focuses on the enrollment phase in BRSKI and the authentication for the communication between pledges after enrollment. >2. Do you have a proof-of-concept implementation? We have some implementations on certificateless authentication but not on BRSKI-CLE. >3. There seems to be a significant gap in how the vouchers would work. >I didn't understand this at all. As explaining in the first question, BRSKI-CLE is not involved in the vouchers. >It all starts with an unsupported assumption that IoT devices can not hold >certificates. Yet, they are being installed into devices by the billions >today. If the enrollment protocol issues a domain certificate to the IoT devices, after the enrollment, the IoT devices just can use the domain certificate for authentication in communication. BRSKI-CLE is an enrollment protocol that issues a credential, instead of certificates, based on public keys to the IoT devices. Thus, the IoT devices can use the credential to authenticate each other in communication after enrollment. BRSKI-CLE provides a lightweight way for the authentication between IoT devices in communication after enrollment. BRSKI-CLE does not change any process before the "enroll" state in BRSKI. Thus, BRSKI-CLE also supports an X.509 IDevID certificate installed by the vendor on IoT devices. The IoT devices only need to bootstrap once and may do mutual communications unlimited times after enrollment. Therefore, it doesn't matter to use certificates in bootstrapping. A lightweight authentication protocol for communication after bootstrapping is more meaningful. ------ Best regards, Lei YAN
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
