BRSKI with Pledge in Responder Mode (BRSKI-PRM)
draft-ietf-anima-brski-prm-12
| Document | Type | Active Internet-Draft (anima WG) | |
|---|---|---|---|
| Authors | Steffen Fries , Thomas Werner , Eliot Lear , Michael Richardson | ||
| Last updated | 2024-03-04 | ||
| Replaces | draft-ietf-anima-brski-async-enroll | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Reviews |
YANGDOCTORS Early review
(of
-05)
by Martin Björklund
Ready w/issues
IOTDIR Early review
(of
-05)
by Marco Tiloca
Ready w/nits
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | In WG Last Call | |
| Document shepherd | Matthias Kovatsch | ||
| IESG | IESG state | I-D Exists | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | ietf@kovatsch.net |
draft-ietf-anima-brski-prm-12
Fries, et al. Expires 5 September 2024 [Page 102] Internet-Draft BRSKI-PRM March 2024 * Clarification in discovery options for enrollment endpoints at the domain registrar based on well-known endpoints do not result in additional /.well-known URIs. Update of the illustrative example. Note that the change to /brski for the voucher related endpoints has been taken over in the BRSKI main document. * Updated references. * Included Thomas Werner as additional author for the document. From individual version 03 -> IETF draft 00: * Inclusion of discovery options of enrollment endpoints at the domain registrar based on well-known endpoints in new section as replacement of section 5.1.3 in the individual draft. This is intended to support both use cases in the document. An illustrative example is provided. * Missing details provided for the description and call flow in pledge-agent use case Section 5, e.g. to accommodate distribution of CA certificates. * Updated CMP example in to use lightweight CMP instead of CMP, as the draft already provides the necessary /.well-known endpoints. * Requirements discussion moved to separate section in Section 4. Shortened description of proof of identity binding and mapping to existing protocols. * Removal of copied call flows for voucher exchange and registrar discovery flow from [RFC8995] in UC1 to avoid doubling or text or inconsistencies. * Reworked abstract and introduction to be more crisp regarding the targeted solution. Several structural changes in the document to have a better distinction between requirements, use case description, and solution description as separate sections. History moved to appendix. From individual version 02 -> 03: * Update of terminology from self-contained to authenticated self- contained object to be consistent in the wording and to underline the protection of the object with an existing credential. Note that the naming of this object may be discussed. An alternative name may be attestation object. Fries, et al. Expires 5 September 2024 [Page 103] Internet-Draft BRSKI-PRM March 2024 * Simplification of the architecture approach for the initial use case having an offsite PKI. * Introduction of a new use case utilizing authenticated self- contain objects to onboard a pledge using a commissioning tool containing a pledge-agent. This requires additional changes in the BRSKI call flow sequence and led to changes in the introduction, the application example,and also in the related BRSKI-PRM call flow. From individual version 01 -> 02: * Update of introduction text to clearly relate to the usage of IDevID and LDevID. * Update of description of architecture elements and changes to BRSKI in Section 5. * Enhanced consideration of existing enrollment protocols in the context of mapping the requirements to existing solutions in Section 4. From individual version 00 -> 01: * Update of examples, specifically for building automation as well as two new application use cases in Section 3.1. * Deletion of asynchronous interaction with MASA to not complicate the use case. Note that the voucher exchange can already be handled in an asynchronous manner and is therefore not considered further. This resulted in removal of the alternative path the MASA in Figure 1 and the associated description in Section 5. * Enhancement of description of architecture elements and changes to BRSKI in Section 5. * Consideration of existing enrollment protocols in the context of mapping the requirements to existing solutions in Section 4. * New section starting with the mapping to existing enrollment protocols by collecting boundary conditions. Contributors Esko Dijk IoTconsultancy.nl Email: esko.dijk@iotconsultancy.nl Fries, et al. Expires 5 September 2024 [Page 104] Internet-Draft BRSKI-PRM March 2024 Toerless Eckert Futurewei Email: tte@cs.fau.de Matthias Kovatsch Siemens Schweiz AG Email: ietf@kovatsch.net Authors' Addresses Steffen Fries Siemens AG Otto-Hahn-Ring 6 81739 Munich Germany Email: steffen.fries@siemens.com URI: https://www.siemens.com/ Thomas Werner Siemens AG Otto-Hahn-Ring 6 81739 Munich Germany Email: thomas-werner@siemens.com URI: https://www.siemens.com/ Eliot Lear Cisco Systems Richtistrasse 7 CH-8304 Wallisellen Switzerland Phone: +41 44 878 9200 Email: lear@cisco.com Michael C. Richardson Sandelman Software Works Email: mcr+ietf@sandelman.ca URI: http://www.sandelman.ca/ Fries, et al. Expires 5 September 2024 [Page 105]