Hi all,
I'd like to bring your attention to the following Individual draft and invite
you to review the draft.
I just updated BRSKI-CLE (draft-yan-anima-brski-cle-01.txt) with the following
changes from draft 00 -> draft 01:
* Issue 1 (from Steffen Fries): The cryptographic approach should be discussed
with CFRG.
Changes for issue 1: All the mathematical algorithm is deleted from the
draft. Considering the evolution towards quantum-
safe algorithms, the draft is changed to a KEM-based enrollment framework.
(KEM: Key Encapsulation Mechanism)
* Issue 2 (from Michael Richardson): COSE objects and ACE-EST should be
compared.
Changes for issue 2:
1) The draft does not specify the local credentials any more. As BRSKI-CLE is
a framework now, any lightweight credentials, such as CBOR Web Tokens (CWTs),
can be issued by using this framework.
2) The scenario is clarified and detailed. The Class 1 constrained IoT
devices, defined in RFC7228, may be unable to use certificates within limited
RAM. Even using CBOR to encode certificates, the certificate chain is also
heavy for the Class 1 constrained IoT devices.
3) ACE-EST uses EDHOC for authentication. As BRSKI-CLE is based on KEM, the
framework is compared with the KEM mechanism in EDHOC (I-D.ietf-lake-edhoc) and
TLS (I-D.wiggers-tls-authkem-psk). Encapsulating by the server's public key in
KEM, the IoT device does not need to configure a public key to identify itself.
* EDHOC is used for the mutual authentication between the pledge and the
registrar in BRSKI, as shown in {{I-D.selander-lake-authz}}. Moreover, the
pledge's credential is supported transporting by reference rather than by
value. Therefore, a constrained IoT device has no need to configure a public
key to identify itself for the whole bootstrapping process.
Comments and suggestions are welcome.
I am looking for co-authors.
Best regards
Lei YAN
-----Original Message-----
From: I-D-Announce <[email protected]> On Behalf Of
[email protected]
Sent: Monday, October 23, 2023 9:00 PM
To: [email protected]
Subject: I-D Action: draft-yan-anima-brski-cle-01.txt
Internet-Draft draft-yan-anima-brski-cle-01.txt is now available.
Title: BRSKI-CLE: A Certificateless Enrollment framework in BRSKI
Author: Lei YAN
Name: draft-yan-anima-brski-cle-01.txt
Pages: 10
Dates: 2023-10-23
Abstract:
The Class 1 constrained IoT devices, defined in RFC7228, may be
unable to use certificates within limited RAM. Exiting enrollment
protocols of BRSKI are all using certificates. This document defines
a certificateless enrollment framework in BRSKI (BRSKI-CLE) for
constrained IoT devices. Considering the evolution towards quantum-
safe algorithms, the framework is based on Key Encapsulation
Mechanism (KEM). Cooperating with the authentication mechanism shown
in I-D.selander-lake-authz, a constrained IoT device does not need to
configure a public key to identify itself for the whole bootstrapping
process. An authentication centre (AC) is used for issuing
lightweight credentials, such as CBOR Web Tokens (CWTs), to
constrained IoT devices. This document does not specify any
lightweight credentials.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-yan-anima-brski-cle/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-yan-anima-brski-cle-01.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-yan-anima-brski-cle-01
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
I-D-Announce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i-d-announce
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
