Hello all,
I just submitted an update of BRSKI-AE which contains the following list of
changes to the 01 version:
o Defined call flow and objects for interactions in use case2. Object
format based on draft for JOSE signed voucher artifacts and
aligned the remaining objects with this approach in Section 5.2.3
o Terminology change: issue #2 pledge-agent -> registrar-agent to
better underline agent relation.
o Terminology change: issue #3 PULL/PUSH -> pledge-initiator-mode
and pledge-responder-mode to better address the pledge operation.
o Communication approach between pledge and registrar-agent changed
by removing TLS-PSK (former section TLS establishment) and
associated references to other drafts in favor of relying on
higher layer exchange of signed data objects. These data objects
are included also in the pledge-voucher-request and lead to an
extension of the YANG module for the voucher-request (issue #12).
o Details on trust relationship between registrar-agent and
registrar (issue #4, #5, #9) included in Section 5.2.
o Recommendation regarding short-lived certificates for registrar-
agent authentication towards registrar (issue #7) in the security
considerations.
o Introduction of reference to agent signing certificate using SKID
in agent signed data (issue #11).
o Enhanced objects in exchanges between pledge and registrar-agent
to allow the registrar to verify agent-proximity to the pledge
(issue #1) in Section 5.2.3.
o Details on trust relationship between registrar-agent and pledge
(issue #5) included in Section 5.2.
o Split of use case 2 call flow into sub sections in Section 5.2.3.
The stated resolved issues related to the once enumerated in the anima gitlab.
Please provide feedback as it helps to further develop the approach.
Best regards
Steffen
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Montag, 14. Juni 2021 18:23
To: Eliot Lear <[email protected]>; Brockhaus, Hendrik (T RDA CST SEA-DE)
<[email protected]>; Fries, Steffen (T RDA CST)
<[email protected]>; Werner, Thomas (T RDA CST SEA-DE)
<[email protected]>
Subject: New Version Notification for draft-ietf-anima-brski-async-enroll-02.txt
A new version of I-D, draft-ietf-anima-brski-async-enroll-02.txt
has been successfully submitted by Steffen Fries and posted to the IETF
repository.
Name: draft-ietf-anima-brski-async-enroll
Revision: 02
Title: Support of asynchronous Enrollment in BRSKI (BRSKI-AE)
Document date: 2021-06-14
Group: anima
Pages: 59
URL:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-anima-brski-async-enroll-02.txt&data=04%7C01%7Ccef9763c-149c-4881-b9c2-5fedc277663a%40ad011.siemens.com%7C3a48344b61fc45c0242e08d92f50bcfa%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637592846077385854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F6jTDHN9ZJuLOmKSx6AAXbOSHFDVOG9JrvPo6D%2FOx8o%3D&reserved=0
Status:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-anima-brski-async-enroll%2F&data=04%7C01%7Ccef9763c-149c-4881-b9c2-5fedc277663a%40ad011.siemens.com%7C3a48344b61fc45c0242e08d92f50bcfa%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637592846077395842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IinDSTTy3D%2BLcoGsUfM0GzUWmwvJaQaqlkr6DchcSG8%3D&reserved=0
Htmlized:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-anima-brski-async-enroll&data=04%7C01%7Ccef9763c-149c-4881-b9c2-5fedc277663a%40ad011.siemens.com%7C3a48344b61fc45c0242e08d92f50bcfa%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637592846077395842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yfaytb5npue822GNTiMEU%2Bi4di3OuABk9YBvvI2v%2FGo%3D&reserved=0
Diff:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-anima-brski-async-enroll-02&data=04%7C01%7Ccef9763c-149c-4881-b9c2-5fedc277663a%40ad011.siemens.com%7C3a48344b61fc45c0242e08d92f50bcfa%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637592846077395842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=C09nmKLYTx%2FbBLyFdwh4fEdU8LYT57msQzTIb6q8kCU%3D&reserved=0
Abstract:
This document describes enhancements of bootstrapping a remote secure
key infrastructure (BRSKI, [RFC8995] ) to also operate in domains
featuring no or only timely limited connectivity between involved
components. Further enhancements are provided to perform the BRSKI
approach in environments, in which the role of the pledge changes
from a client to a server . This changes the interaction model from a
pledge-initiator-mode to a pledge-responder-mode. To support both
use cases, BRSKI-AE relies on the exchange of authenticated self-
contained objects (signature-wrapped objects) also for requesting and
distributing of domain specific device certificates. The defined
approach is agnostic regarding the utilized enrollment protocol
allowing the application of existing and potentially new certificate
management protocols.
The IETF Secretariat
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
