Hi, We just uploaded an update of BRSKI-PRM. The changes address the remaining open issues from WGLC and also the result of further discussions in the design team meetings as well as the second early review of the SECDIR. Based on the latest changes all of the issues collected on github (https://github.com/anima-wg/anima-brski-prm/issues) could be closed. Stating that, the current version is ready for the Shepherd's review, which was announced as next step in the process during IETF 118.
Some summary on the changes done: - issue #79, clarified that BRSKI discovery in the context of BRSKI-PRM is not needed in Section 5.6.1. - issue #103, removed step 6 in verification handling for the wrapped CA certificate provisioning as only applicable after enrollment Section 6.3.3 - issue #128: included notation of nomadic operation of the Registrar-Agent in Section 5, including proposed text from PR #131 - issue #130, introduced DNS service discovery name for brski_pledge to enable discovery by the Registrar-Agent in Section 8 - removed unused reference RFC 5280 - removed site terminology - deleted duplicated text in Section 5.5 - clarified registrar discovery and relation to BRSKI-Discovery in Section 5.6.1 - clarified discovery of pledges by the Registrar-Agent in Section 5.6.2, deleted reference to GRASP as handled in BRSKI-Discovery - addressed comments from SECDIR early review Thank you for the discussion. Best regards Steffen -----Original Message----- From: [email protected] <[email protected]> Sent: Monday, November 20, 2023 5:39 PM To: Michael C. Richardson <[email protected]>; Eliot Lear <[email protected]>; Michael Richardson <[email protected]>; Fries, Steffen (T CST) <[email protected]>; Werner, Thomas (T CST SEA-DE) <[email protected]> Subject: New Version Notification for draft-ietf-anima-brski-prm-11.txt A new version of Internet-Draft draft-ietf-anima-brski-prm-11.txt has been successfully submitted by Steffen Fries and posted to the IETF repository. Name: draft-ietf-anima-brski-prm Revision: 11 Title: BRSKI with Pledge in Responder Mode (BRSKI-PRM) Date: 2023-11-20 Group: anima Pages: 99 URL: https://www.ietf.org/archive/id/draft-ietf-anima-brski-prm-11.txt Status: https://datatracker.ietf.org/doc/draft-ietf-anima-brski-prm/ HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-anima-brski-prm Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-brski-prm-11 Abstract: This document defines enhancements to Bootstrapping a Remote Secure Key Infrastructure (BRSKI, RFC8995) to enable bootstrapping in domains featuring no or only limited connectivity between a pledge and the domain registrar. It specifically changes the interaction model from a pledge-initiated mode, as used in BRSKI, to a pledge- responding mode, where the pledge is in server role. For this, BRSKI with Pledge in Responder Mode (BRSKI-PRM) introduces a new component, the Registrar-Agent, which facilitates the communication between pledge and registrar during the bootstrapping phase. To establish the trust relation between pledge and registrar, BRSKI-PRM relies on object security rather than transport security. The approach defined here is agnostic to the enrollment protocol that connects the domain registrar to the domain CA. The IETF Secretariat _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
