Kent Watsen <[email protected]> wrote: >>> Skimming quickly, I see now the direction to go to a cloud registrar to >>> be redirected to a local registrar. I feel compelled to point out that >>> this is exactly what SZTP (RFC 8572) does, or at least, supports. >>> Actually, as a more general statement, it was originally said that the >>> two WG's approaches were different, but they are now becoming more and >>> more alike. Well, since SZTP is published already, it's more like the >>> ANIMA approach is becoming more like SZTP, albeit seemingly with more >>> complexity. >> >> SZTP does not directly result in the same mutually authenticated TLS (EST) >> connection to a Registrar that BRSKI does. This was not an explicit SZTP goal.
> It's true that EST isn't used, but there is a mutually-authenticated
> TLS connection to the SZTP bootstrap server, which is effectively the
> same as BRSKI's Registrar.
It's not clear to me that this always occurs in the USB or DHCP cases :-)
>> What it could do though, is to provide a source of (secure) bootstrap
>> configuration in which such a connection could be initiated. In my mind,
>> I see a fragment of signed JUNOS, IOS (CISCO, not Apple), etc. CLI
>> configuration that initiates the connection. Such a thing would not be
>> standardized.
>> But, I would think that this is exactly the kind of thing that could
>> be encoded in YANG.
> Indeed, this what RFC 8572 describes (in section 5.6 and also in C.3,
> item #3) and the primary motivation behind
> https://tools.ietf.org/html/draft-ietf-netconf-restconf-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-restconf-client-server>
> and
> https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-netconf-client-server>.
Got it.
>> My understanding of
https://tools.ietf.org/html/draft-ietf-netconf-keystore
>> is that it would provided for Registrar initiated (PUSH) updating of
device
>> certificates, but would not provide a way for a device to initiate
(PULL) to
>> a securely identified EST server.
> Sounds correct, but clarifying:
> 1) the current keystore model is all about enabling a controller/NMS
> application to configure/set/push keys and associated end-entity
> certificates to a device.
> 2) there is a suggestion that the keystore model could/should be
> extended to support ACME (or similar), in which case one might claim
> that the device had "pulled" an end-entity certificate from a "securely
> identified server" (dropping the "EST" part).
> 3) the truststore model (draft-ietf-netconf-trust-anchors) can be used
> by a controller/NMS application to configure/set/push trust-anchor
> certs used, e.g., to verify a remote server's end-entity certificate.
But, more interestingly, it can be used to update the trust anchors, to
enable a resale/transfer of ownership!
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
