[authenticationProfile] <mgmtObj> specialization

Slides:



Advertisements
Similar presentations
CMDH Refinement Contribution: oneM2M-ARC-0397
Advertisements

Secure Network Bootstrapping Infrastructure May 15, 2014.
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Facing the Challenges of M2M Security and Privacy
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
Certificate Enrolment STEs Group Name: SEC#17.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
End-to-End security definition Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
PRO R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,
CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.
SEC Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: Agenda Item: Authentication.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Certificate Enrolment STEs Group Name: SEC#17.3 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:
Primitive End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting.
Certificate Enrolment STEs Group Name: SEC#18 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
OneM2M Challenges of M2M Security and Privacy
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:
Issues pertaining to IOP test Group Name: TST Source: Jiaxin Yin, Huawei Technologies Co., Ltd. Meeting Date: Agenda Item: TBD.
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
Different planes for the resource structure Group Name: WG5 – MAS and WG2 – ARC Source: Nicolas Damour, Sierra Wireless
PRO/ARC and TST/PRO joint sessions at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:
App and Management End- to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm,
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
App End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting Date:
SEC #11 WG4 Status & Release 1 Outlook Group Name: Source:,, Meeting Date: Agenda Item:
End-to-End Primitive Security: Challenges and Suggestions Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting.
Issue regarding authentication at MN-CSE Group Name: ARC & SEC Source: FUJITSU Meeting Date: Agenda Item: Security Admin API.
Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.
Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
On-Boarding and Enrolment Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting Date: SEC#22, Agenda.
Thoughts on the LMAP protocol(s) LMAP Interim meeting, Dublin, 15 th September 2014 Philip Eardley Al Morton Jason Weil 1.
Specifying the Address of Management Client of Managed Entity Group Name: ARC Source: Hongbeom Ahn, SK Telecom, Meeting Date: TP#21 Agenda.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,
oneM2M interop 3 issues and optimizations
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Service Enabled AE (SAE)
End-to-End Security for Primitives
Group multicast fanOut Procedure
2nd Interoperability testing issues
Discussion about Use Case and Architecture in Developer Guide
draft-ietf-simple-message-sessions-00 Ben Campbell
Proposed design principles for modelling interworked devices
oneM2M Service Layer Protocol Version Handling
MAF&MEF Interface Specification discussion of the next steps
Discussion to clarify online/offline behavior
oneM2M Versioning Next Steps
Considering issues regarding handling token
Overview of E2E Security CRs
Summary of Access Control Rules Processing
CMDH Refinement Contribution: oneM2M-ARC-0397R01
Service Layer Dynamic Authorization [SLDA]
Resource Certificate Profile
3GPP Interworking and use of <schedule> resource
Summary of the MAF and MEF Interface Specification TS-0032
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
TG1 Draft Topics Date: Authors: September 2012 Month Year
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
Update on BRSKI-AE – Support for asynchronous enrollment
Presentation transcript:

[authenticationProfile] <mgmtObj> specialization Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow Meeting Date: SEC#25.1/MAS, 2016-11-21 Agenda Item: Device Configuration

Device Configuration and Security TS-0022 Device configuration defines the [registration] <mgmtObj> specialization Initial proposal was to include the security credentials in [registration] SEC participants objected, since TS-0003 defines (or is in the process of defining) other procedures for provisioning credentials, … …and are reluctant to use device management servers for this purpose without further investigation.

Current [registration] Attribute Name Request Optionality Data Type Default Value and Constraints Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description originatorID O m2m:ID AE-ID or CSE-ID to be used on registration request. If the setting is for CSE, then this attribute shall be present. poA M Xs:anyURI The URI for point of acess address of registrar CSE. Protocol binding is determined from the protol in this URI. resourcePath The path of <CSEBase> resource to create <AE> or <remoteCSE> resource.

Proposed [registration] Attribute Name Request Optionality Data Type Default Value and Constraints Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description originatorID O m2m:ID AE-ID or CSE-ID to be used on registration request. If the setting is for CSE, then this attribute shall be present. poA M xs:anyURI The URI for point of acess address of registrar CSE. Protocol binding is determined from the protol in this URI. resourcePath The path of <CSEBase> resource to create <AE> or <remoteCSE> resource. authProfileRef m2m:mgmtLinkRef Link to the [authenticationProfile] to be used for mutual authentication for this registration

Proposed [authenticationProfile] Attribute Name Request Optionality Data Type Notes Create Update Universal attributes, and following <mgmtObj> attributes not shown: mgmtDefinition, objectID, objectPaths, description symmKeyID O sec:credentialID Present when-Provisioned Symmetric Key SAEF is to be used with pre-provisioning mef sec:tefKeyRegCfg Present when Provisioned Symmetric Key SAEF is to be used with remote provisioning maf Used when MAF-based SAEF is to be used cert sec:certAuthnProfile (To be defined, see next slide) Present when Certificate-based SAEF is to be used Add attributes for domain/scope/usage. NOTE 1: Exactly one of the symmKeyID, mef, maf or cert elements shall be present Note: Can be extended to end-to-end security of primitives (ESPrim) with change to description

sec:certAuthnProfile Element Path Element Data Type Multiplicity Note deviceCertHash or deviceCertCredID xs:base64binary or sec:credentialID 0..1 SHA-256 hash of a DER-encoded certificate of the management target. Used when there is more than one certificate on the device. peerCertHash xs:base64binary SHA-256 hash of the DER-encoded certificate of the intended peer See Note. trustAnchor (anonymous) 0..n Present when a CA-issued certificate is used by peer. See Note. trustAnchor/hash 1 SHA-256 hash of the CA Certificate trustAnchor/uri URI URI from which the certificate can be retrieved by the management target NOTE: Either exactly one peerCertHash element is present, or at least one trustAnchor element is present. In the former case, the peer must present a certificate which hashes to the peerCertHash. In the latter case, the peer must present a certificate chain to one of the identified trust anchors Note: designed to be used for hop-by-hop security and end-to-end security of primitives (ESPrim)

Device credentials not included The [AuthenticationProfile] does not provision credentials authenticating the device. symmKeyID identifies a symmetric key, BUT assumes that symmetric key is already provisioned. mef (sec:tefKeyRegCfg) Details for requesting remote security provisioning by a MEF, BUT details for mutual authentication with MEF are expected to be configured separately. maf (sec:tefKeyRegCfg) Details for requesting MAF facilitates authentication BUT details for mutual authentication with MAF are expected to be configured separately. cert (sec:certAuthnProfile) Identifies a certificate of the Registree – but assumes it is already provisioned. Configures details for validating certificate of the Registrar (peer) We will continue working on the “other details”

Next Steps Configuring Credentials to Field Domain using Device Management Symmetric key Device/Node/AE/CSE Certificate Roots of trust for certificates? Agreement Security parameters in a separate MO, with link to that MO MAS would like to finalize TS-0022 at next F2F

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.