Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Jack Visoky
> but there are significant benefits to not maintaining your own protocols, and > significant benefits to getting the extensive review that TLS gets. I could not agree more with this statement. Thanks, --Jack -Original Message- From: Michael Richardson Sent: Saturday, August 10,

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Jack Visoky
> I think so; there are some details of resale that BRSKI would like to make > out-of-scope for the first document. Some way, we have to deal with it, and > I would actually like feedback from OPC about the parameters of different > solutions here. So in this case would the MASA need to be

Re: [Anima] [Iot-onboarding] EXTERNAL: Re: OPC and BRSKI

2019-08-12 Thread Michael Richardson
Randy Armstrong (OPC) wrote: > 1) As it stands today BRSKI is pull model only and the push model is > out of scope but I don't see why that has to be the case once you allow > for different protocols between the Device and the Registrar. With our > proposed OPC mapping we would

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Michael Richardson
Jack Visoky wrote: >> I think so; there are some details of resale that BRSKI would like to >> make out-of-scope for the first document. Some way, we have to deal >> with it, and I would actually like feedback from OPC about the >> parameters of different solutions here. >

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Jack Visoky
Hi Toerless, Just responding to one of your points, a colleague of mine from Cisco (Nancy Cam-Winget) and I have created a draft for authentication-only data protection for TLS 1.3. We've registered the cipher suites and will be going through the Independent Review for this RFC soon. If you,

Re: [Anima] comments on draft-ietf-anima-grasp-api

2019-08-12 Thread Brian E Carpenter
Hi Toerless, Yes, I think your model is correct. Three more comments below, then I will leave this alone until we revise the draft: On 13-Aug-19 07:10, Toerless Eckert wrote: > On Sat, Aug 10, 2019 at 11:23:20AM +1200, Brian E Carpenter wrote: >> Hi Toerless, >> >> If there was only one

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

2019-08-12 Thread Toerless Eckert
Agreeing to what Michael and you said, but also wanted to point out that TLS as defined by IETF is on a trajectory which may or may not be desirable for e.g.: industrial automation (where OPC is used) or other regulated/ critical environments. For example the total elimination of any

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
Benjamin Kaduk via Datatracker wrote: > Section 13.2 > I think CDDL needs to be a normative reference, as does RFC 7231. RFC > 2473 is listed but not referenced in the text, as are RFC 2663, RFC > 7217, and RFC 7575. CDDL->RFC8610, now normative. (Glad that got published)

Re: [Anima] MACsec as an alternative to L3-tunnels

2019-08-12 Thread Brian E Carpenter
Hi, In the context of the L2ACP draft (draft-carpenter-anima-l2acp-scenarios): It seems that MACsec keying and associations are generally pair-wise, but IEEE Std 802.1AE-2018 says: "The guarantees provided by MACsec support the following security services for stations participating in MACsec:

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
https://tinyurl.com/yylruorn contains a diff against -24. Benjamin Kaduk via Datatracker wrote: > Section 5.8.1 doc>A log data file is returned consisting of all log entries associated doc> with the the device selected by the IDevID presented in the request. doc> The audit

Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

2019-08-12 Thread Michael Richardson
WG: there is a chunk of Security Considerations text here that I hope many will read. Benjamin Kaduk via Datatracker wrote: > Section 11.4 > It is not entirely clear to me whether device manufacturers are set up > with incentives to maintain a well-run secure CA with strong

[Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-25.txt

2019-08-12 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Autonomic Networking Integrated Model and Approach WG of the IETF. Title : Bootstrapping Remote Secure Key Infrastructures (BRSKI) Authors : Max

Re: [Anima] comments on draft-ietf-anima-grasp-api

2019-08-12 Thread Toerless Eckert
On Sat, Aug 10, 2019 at 11:23:20AM +1200, Brian E Carpenter wrote: > Hi Toerless, > > If there was only one operating system in the world, I guess we could > describe this. The challenge I see is that the way to solve this may > be drastically different in different o/s environments, depending on