Presentation is loading. Please wait.

Presentation is loading. Please wait.

Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

Published byDouglas Stewart Modified over 5 years ago

Similar presentations

Presentation on theme: "Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)"— Presentation transcript:

1 Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)

2 Introduction The Artifacts:
Voucher: used to assign a device to an owner Voucher Revocation: used to affirm that the assertions assumed when the voucher was signed are still valid. The draft only defines the artifacts themselves leaving their distribution to bootstrapping protocols

3 History The zero touch draft previously stated that the voucher and voucher revocation artifacts were vendor specific binary formats. However, a standard format enables: use by multiple bootstrapping protocols development of tool chains to encode/decode them

4 Voucher module: ietf-voucher +--ro voucher +--ro assertion enumeration // e.g., logged, verified +--ro trusted-ca-certificate? binary +--ro certificate-id | +--ro cn-id? string | +--ro dns-id? string +--ro unique-id* string +--ro nonce? string +--ro created-on? yang:date-and-time +--ro expires-on? yang:date-and-time +--ro revocation-location? inet:uri +--ro additional-data?

5 Voucher Revocation module: ietf-voucher-revocation +--ro voucher-revocation +--ro revocation-type enumeration +--ro created-on yang:date-and-time +--ro expires-on? yang:date-and-time +--ro (voucher-revocation-type)? | +--:(issuer-wide) | | ... // see next slide | +--:(voucher-specific) | ... // see next slide +--ro additional-data? issuer-wide (like a CRL) voucher-specfic (like OCSP)

6 Voucher Revocation (cont.)
+--ro issuer-wide // like a CRL +--ro (list-type)? +--:(whitelist) | +--ro whitelist | +--ro voucher-identifier* string +--:(blacklist) +--ro blacklist +--ro voucher-identifier* string +--ro voucher-specific // like an OCSP Response +--ro voucher-identifier string +--ro voucher-status enumeration +--ro revocation-information +--ro revoked-on yang:date-and-time +--ro revocation-reason enumeration

7 Encoding Strategy Currently defined in YANG
but YANG is only for “configuration” here we effectively want a file format... Current draft says, encode it the same as if it were the response from a RESTCONF server but that seems loose Options: leave as is define a YANG to artifact encoding don’t use YANG Note: the same issue exists in the zerotouch draft, for encoding the information-type artifact

8 Signing Strategy Both artifacts MUST be signed.
But a signing strategy has not been selected yet. Some options that have been discussed: PKCS#7, CMS, JWS

9 Next Steps This draft is already close to completion. We just need to:
resolve the artifact encoding issue finalize the signing strategy clean up loose ends Which WG should adopt it? Note: the zerotouch draft has a normative reference to this draft, but it is expected that drafts in other working groups will as well shortly. Comments / Questions?

Download ppt "Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)"

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Similar presentations

Ads by Google