MAX: please look for your name.
Toerless Eckert wrote:
> Section 5)
> a) Suggest changing the title to "Protocol Details (Pledge - Registrar
> - MASA / CA)"
> to distinguish from Section 4. Might consider also to move up section
renamed.
> b) MASA URI is "https:// authority "./well-known/est".
> ^
> missing a " ?
already fixed.
> c) BRSKI-EST connections SHOULD use persistent connections
> The intention of this guidance is to ensure the provisional TLS
> authentication occurs only once and is properly managed.
> This is not clear to me, please rephrase.
> - What does "properly managed" mean ?
I no longer recall.
I think it's content-free. It means don't throw away the connection
each time or do dumb things with your SSL context.
> - Why would provisional TLS authentication have to occur more than once
> without persistent connection ?
While EST section 3.2 does not insist upon use of HTTP 1.1
persistent connections, BRSKI-EST connections SHOULD use persistent
connections. The intention of this guidance is to ensure the
provisional TLS state occurs only once, and that the subsequent
resolution of the provision state is not subject to a MITM attack
during a critical phase.
> The first connection only retrieves the voucher, but then lets say the
> Pledge closes the connection and builds a new one for EST
> enrollment. On that second one it would not need to do provisional
> authentication. /cacerts after /requestvoucher ?
I agree that it's possible to come up with a number of places in which
one could restart the TLS connection, at which point a MITM would either
be detected, or would cause a failure, but I would rather not open this door.
The pledge would have to remember the server's certificate and make sure that
it always connects to a server with the same (identical) certificate.
If the JRC is implemented in a load-balanced scenario with a front-end
*TCP* (not SSL) proxy that distributes load, then it is possible that it
would be legitimate for the different servers to have different
certificates. As long as the voucher comes out correct, that's fine.
But, if the pledge is directed to different servers, which a non-persistent
connection could cause to occur, then the pledge will have a hard time.
What if the single server executes a planned reboot, and when it restarts, a
new (fresher) certificate has been installed?The persistent connection
could be tuned to keep server from rebooting until that transaction is over.
Finally, the non-persistent connections could be redirected by the Join Proxy
to different JRCs!
> d) Q: How would BRSKI work in the absence of persistent connections or
> in the presence of failures ? I guess each request from the pledge is a
> standalone transaction and the pledge would just repeat them until it
> succeeds or until a return code would indicate that the Registrar does
> not support this step and the pledge has to terminate.
The requests from the pledge are not standalone transactions.
They are a series of connections that build towards a result.
I don't think we need to support non-persistent connection.
> Aka: The way i see it, the reason for persistent connections is really
> just
> avoiding unnecessary repeated (expensive) TLS connection setup...
yes. So, couldn't you have edited your comments then?
> e) "If the Registrar responds with a redirection to other web origins"
> A reason for this rule should be written into that paragraph.
> ... This is to minimize attacks by fake registrars trying to
> indefinitely redirect a pledge.
MAX: I think that there are other reason as well?
MAX: Also, the pledge can't go anywhere by URL, only to where the Proxy
directs it, so really can any redirection be accepted?
Of course, it can do Host:
I have opened ticket: https://github.com/anima-wg/anima-bootstrap/issues/50
> f) "It should proceed to other discovered Registrars if there are any"
> Pledes don't discover Registrars, the discover Proxies.
> the Proxy can see a couple redundant Registrars.
fixed with:
To avoid blocking on a single erroneous Registrar the Pledge
MUST drop the connection after 5 seconds in which there has
been no progress on the TCP connection.
It should proceed to
connect to any other Registrar's via any other discovered
Proxies if there are any. If there were no
other Proxies discovered, the Pledge MAY continue to wait,
as long as it is concurrently listening for new Proxy
announcements.
> f.1) "If necessary the Pledge calls the EST defined /cacerts method to
> obtain the domain owners' CA certificate."
> Please