This new version contains a "bag of changes": * Clarify use of x5bag for storing signing chain and Registrar removes unprotected x5bag/x5chain * Clarify how RPK is used with above x5bag, with self-signed "placeholder" certificate. Also details added of how a Registrar can validate the RPK (voucher validation by the Registrar is optional in BRSKI). * Merged the very similar BRSKI-MASA security considerations sections. * To avoid needless variation, require CBOR format for Pledge's/EST-client's telemetry. * Removed figure captions from code examples for consistency. * Add base resource type (rt) for "ace.est" and related terminology. * Update IEEE 802.1AR reference to the more recent 2018 version. * Editorial updates.
The diff shows the differences well: https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-constrained-voucher-27 In the draft itself, Section 17 points to the details with Github issue/PR numbers. Esko -----Original Message----- From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: maandag 3 maart 2025 23:04 To: i-d-annou...@ietf.org Cc: anima@ietf.org Subject: [Anima] I-D Action: draft-ietf-anima-constrained-voucher-27.txt Internet-Draft draft-ietf-anima-constrained-voucher-27.txt is now available. It is a work item of the Autonomic Networking Integrated Model and Approach (ANIMA) WG of the IETF. Title: Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) Authors: Michael Richardson Peter van der Stok Panos Kampanakis Esko Dijk Name: draft-ietf-anima-constrained-voucher-27.txt Pages: 91 Dates: 2025-03-03 Abstract: This document defines the Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) protocol, which provides a solution for secure zero-touch onboarding of resource-constrained (IoT) devices into the network of a domain owner. This protocol is designed for constrained networks, which may have limited data throughput or may experience frequent packet loss. cBRSKI is a variant of the BRSKI protocol, which uses an artifact signed by the device manufacturer called the "voucher" which enables a new device and the owner's network to mutually authenticate. While the BRSKI voucher data is encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher. The BRSKI voucher data definition is extended with new data types that allow for smaller voucher sizes. The Enrollment over Secure Transport (EST) protocol, used in BRSKI, is replaced with EST-over- CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP (CoAPS). This document Updates RFC 8995 and RFC 9148. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-anima-constrained-voucher/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-anima-constrained-voucher-27.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-constrained-voucher-27 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org _______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
