Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

Published by Modified over 5 years ago

Similar presentations

Presentation on theme: "Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion."— Presentation transcript:

1 Voucher Profile for Bootstrapping Protocols draft-ietf-anima-voucher-02 ANIMA WG IETF 98 (Chicago)

2 Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion on BRSKI and 50% discussion on Voucher.

3 Updates Since IETF 97 Removed support for voucher-revocations.
(Not sorted) Removed support for voucher-revocations. Focus on voucher-renewals instead. Removed single voucher mapping to many pledges. Initially due to not wanting a course-revocation, but became not wanting to unnecessary block a renewal due to being to coarse. Selected PKCS#7 for the signing strategy. Selected JSON for encoding Removed support for XML encoding (setup for future alignment with JWT) Moved terminology from BRSKI into Voucher. Added “Survey of Voucher Types” section.

4 Renewals > Revocations
Long lifetime Con: Requires revocation logic, services MASA Revoked! Undefined OCSP/CRL B) Medium or Short lifetime Con: Contiguous renewals MASA not renewed! not renewed! MASA not renewed! e.g. t > last-renewal-date C) Short lifetime, non contiguous Pro: A single flow, always exercised

5 Renewals > Revocations
Design Considerations: Voucher s6.1 Single flow, always exercised Equivalent to short lifetime revocation statements with simpler operational management No longer need additional revocation status protocols (e.g. RFC6066, section 8 inline certificate status extensions) Threat modeling is simpler Looks like ”Web Tokens” ACME w/ domain validation is effectively the same: a simple method of obtaining a new credential on demand rather than complex renewal Theoretically an (EST) PKI could do this simply by supporting renewal beyond validity period (note: “last-renewal-date” is informative)

6 Voucher New parts: authority-key-identifier
“The Subject Key Identifier of the MASA's leaf certificate” Intended to identify voucher issuer certificate (may be redundant w/ PKCS7 structures) domain-certificate-identifier/subject Requires the mandatory “trusted-ca-certificate” Allows domain to roll public key during voucher validity period assert-certificate-revocations Flag telling pledge how it should go about validating the domain certificate chain. last-renewal-date An informative field, not processed by pledges, indicating the last date the MASA projects it will renew a voucher on.

7 (Each discussed on upcoming slides)
Open Issues Does the voucher still need to support indirect issuer? Need to support revocations of domain certificate? PKCS#7 or something else, like CWT? Is there a need for authority-key-identifier? (Each discussed on upcoming slides)

8 1. Does the voucher still need to support an indirect issuer?
Specifically the “domain-certificate-identifier” container? +--ro trusted-ca-certificate binary +--ro domain-certificate-identifier | +--ro subject? binary | +--ro cn-id? string | +--ro dns-id? string Do we need this anymore, if short-lived vouchers are expected, would the domain certificate always be pinned? This is an issue for NETCONF zerotouch more so than BRSKI, but may affect other bootstrapping protocols as well.

9 2. Need to support revocations of domain certificate?
Specifically the “assert-certificate-revocations” leaf? +--ro assert-certificate-revocations? boolean The voucher itself is not revocable, but the domain certificate might be. Event though it’s recommended that vouchers be as short-lived as possible, SHOULD voucher tell device to verify revocation status of the domain’s certificate? Note: the voucher could also indicate how far out it could determine the revocation status to be good for...

10 3. PKCS#7 or something else, like CWT?
Right now Voucher uses PKCS#7 for signing like SMIME with stapled certificate chain Some would like to align it with CWT for ultra-small IoT devices but CWT is not a good match Worry about in some future RFC instead?

11 4. Is there a need for authority-key-identifier?
PKCS7 includes SignerInfo This could be held off until non-PKCS7 signing methods are defined in future work

12 Questions, Comments, Concerns?
Final Stretch We just need to work through these issues. Ideally a Last Call in a few weeks... Questions, Comments, Concerns?

Download ppt "Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion."

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
LDAP Items

LDAP Items
PKI Activities at Virginia September 2000 Jim Jokl

PKI Activities at Virginia September 2000 Jim Jokl
1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S40-20090330-005 X50-20090330-0xx Source: QUALCOMM Incorporated Contact(s): Anand.

1 SeGW Certificate profile (Revised) 3GPP2 TSG-S WG4 /TSG-X WG5 (PDS) S X xx Source: QUALCOMM Incorporated Contact(s): Anand.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

Similar presentations

Ads by Google