M. Ranganathan <mra...@gmail.com> wrote: > Consider an integrated BRSKI-EST server. The pledge bootstraps and gets the > pinned domain certificate. Then the pledge queries EST for the ca-certs. Is > it correct to require that the pinned domain cert must be present in the > CACerts collection returned by the EST server when the pledge does a > cacerts query (but can include additional certificates) ?
No, I don't think that the specific cert needs to be in the cacert set. 1) It makes sense that a trust anchor(s) returned ought to validate the pinned domain cert. This is because a certificate renewal operation needs to connect to the EST server correctly. Obviously, in a very degenerate case, there is only the one owner certificate, and it is used for everything. section 3.3 of draft-richardson-anima-registrar-considerations suggests that, and I include the text at the bottom. 2) The pinned-domain cert is validated by the pledge using the voucher. It does not need to be validatable via the cacerts for BRSKI-EST to work, provided that the TLS connection is never broken. (If the TLS connection is broken, then the enrollment should restart. We considered many ways around this, but I think in the end, we decided not to do this. HTTP/1.1+ persistent connections or die) === 3.3. Home Network Home networks and small offices that use residential class equipment are the most challenging situation. The three-tier PKI architecture is not justified because the ability to keep the root CA offline has no operational value. The home network registrar should be initialized with a single key pair used as the certificate authority. Secret splitting is useful in order to save the generated key with a few neighbours. It is recommended that the entire PKI system database (including CA private key) be encrypted with a symmetric key and the results made available regularly for download to a variety of devices. The symmetric key is split among the neighbours. The most difficult part of the Home Network PKI and Registrar is where to locate it. Generally it should be located on a device that is fully owned by the home user. This is sometimes the Home Router, but in a lot of situations the Home Router is the ISP's CPE router. If the home has a Network Attached Storage (NAS) system, then running it there is probably better. A compromise for CPE devices owned by the ISP that can run containers is for the Registrar to be located on detachable storage that is inserted into the CPE. The detachable storage is owned by the home owner, and can be removed from the CPE device if it is replaced. More experience will be necessary in order to determine if this is a workable solution. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima