Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Slides:



Advertisements
Similar presentations
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Advertisements

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Public Key Management and X.509 Certificates
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
draft-kwatsen-netconf-zerotouch-01
LDAP Items
PKI Activities at Virginia September 2000 Jim Jokl
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Web Authorization Protocol (oauth) Hannes Tschofenig.
OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.
Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.
Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.
Bing Liu (speaker), Sheng WG, ietf96, July 2016
Bootstrapping Key Infrastructures
TAG Presentation 18th May 2004 Paul Butler
NACK-Oriented Reliable Multicast (NORM) Update
ID Tracker States: An Internet Draft’s Path Through the IESG
Authenticated Identity
Public Key Infrastructure (PKI)
SSL Certificates for Secure Websites
STIR WG / IETF 94 Yokohama, Nov 2015 Jon
Timeline - ATIS Involvement
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
TAG Presentation 18th May 2004 Paul Butler
draft-ietf-simple-message-session-09
Chairs: Derek Atkins and Hannes Tschofenig
Authentication Applications
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
Agenda OAuth WG IETF 87 July, 2013.
draft-ietf-geopriv-lbyr-requirements-02 status update
BRSKI overview and issues
Information Security message M one-way hash fingerprint f = H(M)
زير ساخت كليد عمومي و گواهي هويت
RFC PASSporT Construction 6.2 Verifier Behavior
RFC PASSporT Construction 6.2 Verifier Behavior
YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99
Wednesday, 9:30-12:00 Morning session I, Van Horne
Information Security message M one-way hash fingerprint f = H(M)
Resource Certificate Profile
Digital Certificates and X.509
Tuesday , 9:30-12:00 Morning session I, Buckingham
CS 465 Certificates Last Updated: Oct 14, 2017.
STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
IPNNI SHAKEN Enterprise Models: LEMON TWIST
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski
IoT Onboarding for Date: Authors: November 2018
draft-friel-acme-integrations
STIR Certificate delegation
Task 62 Scope – Config / Operational State
Update on BRSKI-AE – Support for asynchronous enrollment
OCSP Requirements GGF13.
Presentation transcript:

Voucher Profile for Bootstrapping Protocols draft-ietf-anima-voucher-02 ANIMA WG IETF 98 (Chicago)

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion on BRSKI and 50% discussion on Voucher.

Updates Since IETF 97 Removed support for voucher-revocations. (Not sorted) Removed support for voucher-revocations. Focus on voucher-renewals instead. Removed single voucher mapping to many pledges. Initially due to not wanting a course-revocation, but became not wanting to unnecessary block a renewal due to being to coarse. Selected PKCS#7 for the signing strategy. Selected JSON for encoding Removed support for XML encoding (setup for future alignment with JWT) Moved terminology from BRSKI into Voucher. Added “Survey of Voucher Types” section.

Renewals > Revocations Long lifetime Con: Requires revocation logic, services MASA Revoked! Undefined OCSP/CRL B) Medium or Short lifetime Con: Contiguous renewals MASA not renewed! not renewed! MASA not renewed! e.g. t > last-renewal-date C) Short lifetime, non contiguous Pro: A single flow, always exercised

Renewals > Revocations Design Considerations: Voucher s6.1 Single flow, always exercised Equivalent to short lifetime revocation statements with simpler operational management No longer need additional revocation status protocols (e.g. RFC6066, section 8 inline certificate status extensions) Threat modeling is simpler Looks like ”Web Tokens” ACME w/ domain validation is effectively the same: a simple method of obtaining a new credential on demand rather than complex renewal Theoretically an (EST) PKI could do this simply by supporting renewal beyond validity period (note: “last-renewal-date” is informative)

Voucher New parts: authority-key-identifier “The Subject Key Identifier of the MASA's leaf certificate” Intended to identify voucher issuer certificate (may be redundant w/ PKCS7 structures) domain-certificate-identifier/subject Requires the mandatory “trusted-ca-certificate” Allows domain to roll public key during voucher validity period assert-certificate-revocations Flag telling pledge how it should go about validating the domain certificate chain. last-renewal-date An informative field, not processed by pledges, indicating the last date the MASA projects it will renew a voucher on.

(Each discussed on upcoming slides) Open Issues Does the voucher still need to support indirect issuer? Need to support revocations of domain certificate? PKCS#7 or something else, like CWT? Is there a need for authority-key-identifier? (Each discussed on upcoming slides)

1. Does the voucher still need to support an indirect issuer? Specifically the “domain-certificate-identifier” container? +--ro trusted-ca-certificate binary +--ro domain-certificate-identifier | +--ro subject? binary | +--ro cn-id? string | +--ro dns-id? string Do we need this anymore, if short-lived vouchers are expected, would the domain certificate always be pinned? This is an issue for NETCONF zerotouch more so than BRSKI, but may affect other bootstrapping protocols as well.

2. Need to support revocations of domain certificate? Specifically the “assert-certificate-revocations” leaf? +--ro assert-certificate-revocations? boolean The voucher itself is not revocable, but the domain certificate might be. Event though it’s recommended that vouchers be as short-lived as possible, SHOULD voucher tell device to verify revocation status of the domain’s certificate? Note: the voucher could also indicate how far out it could determine the revocation status to be good for...

3. PKCS#7 or something else, like CWT? Right now Voucher uses PKCS#7 for signing like SMIME with stapled certificate chain Some would like to align it with CWT for ultra-small IoT devices but CWT is not a good match Worry about in some future RFC instead?

4. Is there a need for authority-key-identifier? PKCS7 includes SignerInfo This could be held off until non-PKCS7 signing methods are defined in future work

Questions, Comments, Concerns? Final Stretch We just need to work through these issues. Ideally a Last Call in a few weeks... Questions, Comments, Concerns?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.