Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

[Michael Richardson]

https://tinyurl.com/yylruorn contains an updated diff against -24.

Benjamin Kaduk via Datatracker  wrote:
> Section 5.2

> application/voucher-cms+json  The request is a "YANG-defined JSON
> document that has been signed using a CMS structure" as described
> in Section 3 using the JSON encoding described in [RFC7951].  This

> Section 3 does not describe any "sign[ing] using a CMS structure"
> operation.

Yes, I see, the sentence structure is wrong.  I have changed it:


-   application/voucher-cms+json  The request is a "YANG-defined JSON
-  document that has been signed using a CMS structure" as described
-  in Section 3 using the JSON encoding described in [RFC7951].  This
-  voucher media type is defined in [RFC8366] and is also used for
-  the pledge voucher-request.  The pledge SHOULD sign the request
-  using the Section 2.3 credential.

+   application/voucher-cms+json  [RFC8366] defines a "YANG-defined JSON
+  document that has been signed using a CMS structure", and the
+  voucher-request described in Section 3 is created in the same way.
+  The media type is the same as defined in [RFC8366].  and is also
+  used for the pledge voucher-request.  The pledge MUST sign the
+  request using the Section 2.3 credential.


> To be clear, this is MUST sign, but SHOULD use IDevID (vs. some other
> credential) to sign?

It was SHOULD, because we supported unsigned voucher requests, but we removed
that option.  It is now MUST.

> constrained voucher formats are expected in the future.  Registrar's
> and MASA's are expected to be flexible in what they accept.

> nits: no apostrophes for plurals.

done.

> proximity-registrar-cert:  In a pledge voucher-request this is the
> first certificate in the TLS server 'certificate_list' sequence
> (see [RFC5246]) presented by the registrar to the pledge.  This
> MUST be populated in a pledge voucher-request if the "proximity"
> assertion is populated.

> [same comment as above about "end-entity certificate"]

done.

> The registrar validates the client identity as described in EST
> [RFC7030] section 3.3.2.  The registrar confirms that the 'proximity'
> assertion and associated 'proximity-registrar-cert' are correct.

> what 'proximity' assertion?
> Does verifying proximity-registrar-cert just mean checking that it's the
> same leaf certificate that the registrar presented?  What happens if the
> validation fails?

Yes, it means confirming that the pinned certificate is one's own.
If it fails, then there is a MITM, and the connection should be closed.
{I will use "MITM" until someone tells if me we are using a different term}

I've split that paragraph up, as there are two thoughts, one is about the
ClientCertificate, and the other is about the pinned certificate.

The registrar validates the client identity as described in EST
-   [RFC7030] section 3.3.2.  The registrar confirms that the 'proximity'
-   assertion and associated 'proximity-registrar-cert' are correct.
+   [RFC7030] section 3.3.2.
+
+   The registrar confirms that the assertion is 'proximity' and that
+   pinned 'proximity-registrar-cert' is the Registrar's certificate.  If
+   this validation fails, then there a On-Path Attacker (MITM), and the
+   connection MUST be closed after the returning an HTTP 401 error code.

> Section 5.3

doc> A Registrar accepts or declines a request to join the domain, based
doc> on the authenticated identity presented.  Automated acceptance
doc> criteria include:

> I suggest "for different networks, examples of automated acceptance
> criteria may include".

doc> If these validations fail the registrar SHOULD respond with an
doc> appropriate HTTP error code.

> Similarly, "If validation fails".

done.

> Section 5.4

doc> The BRSKI-MASA TLS connection is a 'normal' TLS connection
doc> appropriate for HTTPS REST interfaces.  The registrar initiates the
doc> connection and uses the MASA URL obtained as described in Section 2.8
doc> for [RFC6125] authentication of the MASA.

> I'd consider mentioning  the implicit trust anchor database as well as
> the MASA URL.

edits for another review changed this to:
   The BRSKI-MASA TLS connection is a 'normal' TLS connection
   appropriate for HTTPS REST interfaces.  The registrar initiates the
   connection and uses the MASA URL obtained as described in
   Section 2.8.  The mechanisms in [RFC6125] SHOULD be used
   authentication of the MASA.  Some vendors will establish explicit (or
   private) trust anchors for validating their MASA; this will typically
   done as part of a sales channel integration.  Registars SHOULD permit
   trust anchors to be pre-configured on a per-vendor basis.

doc> The MASA and the registrars SHOULD be prepared to support TLS client
doc> certificate authentication and/or HTTP Basic or Digest 

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

[Randy Armstrong (OPC)]

> I think so; there are some details of resale that BRSKI would like to make 
> out-of-scope for the first document.  Some way, we have to deal with it, and 
> I would actually like feedback from OPC about the parameters of different 
> solutions here.

There are two things I would like to clarify:

1) As it stands today BRSKI is pull model only and the push model is out of 
scope but I don't see why that has to be the case once you allow for different 
protocols between the Device and the Registrar. With our proposed OPC mapping 
we would define a Registrar that supports both models. Is this of any interest 
to the IETF or would it be an OPC only thing?

2) Perhaps the most value from BRSKI comes not from the MASA per se but the 
voucher format (i.e. a digitally signed document with a standard format). We 
could meet a lot of our requirements if we had a voucher which has a list of 
nonce-less or bearer vouchers shipped to a particular location for use by a 
particular end user. We could create workflows where the 
manufacturer/distributor has to create this document when devices are 
delivered. The document could be delivered via the MASA or via some other B2B 
exchange or even on a USB stick. However it is delivered it can then be read by 
the Registrar and use it to build a whitelist of Devices allowed on the 
network. 

I am also thinking that this voucher would be a good application for block 
chain where instead of a bearer voucher we define a mechanism where the owner 
the device could append a "block" to the original voucher which authorizes the 
transfer to new owner. 

-Original Message-
From: Michael Richardson  
Sent: August 10, 2019 6:08 PM
To: Randy Armstrong (OPC) 
Cc: Jack Visoky ; iot-onboard...@ietf.org; 
anima@ietf.org
Subject: Re: EXTERNAL: Re: [Anima] [Iot-onboarding] OPC and BRSKI


Randy Armstrong (OPC)  wrote:
> The questions that the OPC WG needs to answer are:

> 1) Can BRSKI meet our requirements?

I think so; there are some details of resale that BRSKI would like to make 
out-of-scope for the first document.  Some way, we have to deal with it, and I 
would actually like feedback from OPC about the parameters of different 
solutions here.

> 2) If the answer to 1) is yes then can it work with OPC UA security?

yes, I think so.
is there any open source reference code for the OPC UA security?

> 3) If the answer to 2) is no then do we use TLS or extend our own model
> with something like BRSKI but not BRSKI?

> While I cannot predict how the various participants in the OPC WGs will
> respond to question 3), I do know it would make collaboration a lot
> easier if the answer to 2) was yes.

I think yes.

--
Michael Richardson , Sandelman Software Works  -= IPv6 
IoT consulting =-



___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima