Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Slides:

Advertisements

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Advertisements

A Framework for Distributed OCSP without Responders Certificate

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Public Key Management and X.509 Certificates

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.

draft-kwatsen-netconf-zerotouch-01

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Certificate revocation list

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

draft-ietf-netconf-zerotouch

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Introduction for Certificate-based Key Management Design based on Provisioning Tool Samsung Electronics Software R&D Center.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79.

Bootstrapping Key Infrastructures

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-07 NETCONF WG IETF 93 Prague.

Document update - what has happened since GGF11

YANG Data Model for RIP draft-liu-rtgwg-yang-rip-01

Timeline - ATIS Involvement

NETCONF WG IETF 93 - Prague, Czech Republic THURSDAY, July 23, 2015

Assignment #5 – Solutions

pim wg multicast YANG team

Subscribing to YANG datastore push updates draft-ietf-netconf-yang-push-02 NETMOD WG IETF #95 Buenos Aires 4-April-2015 Alexander Clemm Alberto Gonzalez.

BRSKI overview and issues

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

draft-levin-xcon-cccp-02.txt Orit Levin

Pairing Protocol (for DNS SD privacy)

Factory default Setting draft-wu-netmod-factory-default-01

Binary encoding draft-MAHESH-NETCONF-binary-encoding

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Digital Certificates and X.509

CS 465 Certificates Last Updated: Oct 14, 2017.

draft-ding-netmod-arp-yang-model-00 Xiaojian Ding, Feng Zheng

ECN Experimentation draft-black-ecn-experimentation

draft-liu-netmod-yang-schedule-02

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

PKI (Public Key Infrastructure)

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

Introduction to Let’s Encrypt

Subscription to Multiple Stream Originators

OCSP Requirements GGF13.

Schema version selection Reshad Rahman (presenting), Rob Wilton

An HTTPS-based Transport for Subscribed Notifications

Presentation transcript:

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Introduction The Artifacts: Voucher: used to assign a device to an owner Voucher Revocation: used to affirm that the assertions assumed when the voucher was signed are still valid. The draft only defines the artifacts themselves leaving their distribution to bootstrapping protocols

History The zero touch draft previously stated that the voucher and voucher revocation artifacts were vendor specific binary formats. However, a standard format enables: use by multiple bootstrapping protocols development of tool chains to encode/decode them

Voucher module: ietf-voucher +--ro voucher +--ro assertion enumeration // e.g., logged, verified +--ro trusted-ca-certificate? binary +--ro certificate-id | +--ro cn-id? string | +--ro dns-id? string +--ro unique-id* string +--ro nonce? string +--ro created-on? yang:date-and-time +--ro expires-on? yang:date-and-time +--ro revocation-location? inet:uri +--ro additional-data?

Voucher Revocation module: ietf-voucher-revocation +--ro voucher-revocation +--ro revocation-type enumeration +--ro created-on yang:date-and-time +--ro expires-on? yang:date-and-time +--ro (voucher-revocation-type)? | +--:(issuer-wide) | | ... // see next slide | +--:(voucher-specific) | ... // see next slide +--ro additional-data? issuer-wide (like a CRL) voucher-specfic (like OCSP)

Voucher Revocation (cont.) +--ro issuer-wide // like a CRL +--ro (list-type)? +--:(whitelist) | +--ro whitelist | +--ro voucher-identifier* string +--:(blacklist) +--ro blacklist +--ro voucher-identifier* string +--ro voucher-specific // like an OCSP Response +--ro voucher-identifier string +--ro voucher-status enumeration +--ro revocation-information +--ro revoked-on yang:date-and-time +--ro revocation-reason enumeration

Encoding Strategy Currently defined in YANG but YANG is only for “configuration” here we effectively want a file format... Current draft says, encode it the same as if it were the response from a RESTCONF server but that seems loose Options: leave as is define a YANG to artifact encoding don’t use YANG Note: the same issue exists in the zerotouch draft, for encoding the information-type artifact

Signing Strategy Both artifacts MUST be signed. But a signing strategy has not been selected yet. Some options that have been discussed: PKCS#7, CMS, JWS

Next Steps This draft is already close to completion. We just need to: resolve the artifact encoding issue finalize the signing strategy clean up loose ends Which WG should adopt it? Note: the zerotouch draft has a normative reference to this draft, but it is expected that drafts in other working groups will as well shortly. Comments / Questions?