There is always a TLS/DTLS session between the pledge and the registrar.
In standard BRSKI with EST, the registrar is always the RA, and what
happens towards the CA is out of scope of BRSKI.
In BRSKI-AE, the registrar may be the RA or just a local RA, and what
happens towards the RA and/or CA is out of scope.
The paragraph in question ends like this:
0.
To prevent this, the underlying message transport channel can be
encrypted. This is already provided by TLS between the pledge and
the registrar, and for the onward exchange with backend systems,
encryption may need to be added.
So it is just a hint that the onward traffic beyond the registrar
towards the CA may need an additional encryption layer, if desired.
David
On 02.09.24 19:57, Deb Cooley wrote:
If there is always a TLS/DTLS session, then why is there a note in Sec
Consid about CMP messages being in the clear?
Deb
On Mon, Sep 2, 2024 at 9:17 AM Michael Richardson
<[email protected] <mailto:mcr%[email protected]>> wrote:
Deb Cooley via Datatracker <[email protected]> wrote:
> While this draft clearly outlines the requirements for proof
of possession and
> integrity/authentication of the pledge, I did not see any
discussion on
> integrity/authentication of the RA/CA. How can the pledge
determine if it is
> requesting certificates (either its own or CA) from the
proper RA/CA? One of
> the advantages of EST is that the pledge can verify the EST
server certificate,
> and an on-path attack is harder when there is an adequate
TLS session. Is that
> the case with CMP (or SCEP)? If so, either point me to
where that is
> documented or add a couple of sentences on how that is
done. If not, please
> add a section to the Security Considerations.
Hi, you are asking a BRSKI question, which is a super-set of EST.
This is all in RFC8995, section 5, especially section 5.6.2.
The short answer is that the RFC8366 voucher pins the RA/CAs' key.
For CMP, the process is similiar. A TLS or DTLS is still created,
but when it comes to enrollment, EST is not used.
I wonder if including the vouchers in figure 2 would help?
brski.org
<http://brski.org/>
contains a bunch of slides, and some videos of a few presentations
on BRSKI. https://brski.org/brski-impls.html
<https://brski.org/brski-impls.html>
_Generic Animation of BRSKI - Bootstrapping Remote Secure Key
Infrastructure_
https://www.youtube.com/watch?v=Mtbh_GN0Ce4
<https://www.youtube.com/watch?v=Mtbh_GN0Ce4>
is something I put together specifically to answer this question.
It's only 5 minutes. Watchable at 1.5X too.
--
Michael Richardson <[email protected]
<mailto:mcr%[email protected]>> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Anima mailing list -- [email protected]
To unsubscribe send an email to [email protected]
