Proof of Possession to Devices for Onboarding
draft-lear-brski-pop-00

Document Type Active Internet-Draft (individual)
Last updated 2018-10-20
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Yang Validation 0 errors, 0 warnings.
Additional URLs
- Yang catalog entry for ietf-brski-possession@2018-10-11.yang
- Yang impact analysis for draft-lear-brski-pop
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            E. Lear
Internet-Draft                                                  O. Friel
Intended status: Standards Track                           Cisco Systems
Expires: April 23, 2019                                 October 20, 2018

             Proof of Possession to Devices for Onboarding
                        draft-lear-brski-pop-00

Abstract

   This memo specifies a RESTful interface for local deployments to
   demonstrate proof of possession to a device or to a manufacturer
   authorized signing authority (MASA).  This covers the case where a
   MASA would not otherwise have knowledge of where a device is
   deployed, or when a MASA may not be required.  Such knowledge is
   important to onboard certain classes of devices, such as those on
   IEEE 802.11 networks.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 23, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Lear & Friel             Expires April 23, 2019                 [Page 1]
Internet-Draft             Proof of Posession               October 2018

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  The Yang Model  . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Changes from Earlier Versions . . . . . . . . . . . . . . . .   7
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   [I-D.ietf-anima-bootstrapping-keyinfra] (BRSKI) specifies a means to
   provision credentials to be used as credentials to operationally
   access networks.  In the initial model, the manufacturer authorized
   signing authority is assumed to either have knowledge of whether a
   device is intended to be provisioned on a particular network, or to
   be able to simply sign all requests.  The necessary knowledge to
   handle the first case is not always easy to come by, and particularly
   useful to have when a device is trying to determine which network to
   join, when there is a choice.  Such is the case with IEEE 802.11
   networks, for example.

   Absent that knowledge, should a MASA automatically issue a voucher,
   the device may onboard to the first BRSKI-aware network, which may
   well be the wrong one.

   In addition, some manufacturers may prefer not to require the
   existence of a MASA.  In these circumstances proof of possession to
   the device is required.

   This memo specifies a RESTful request that devices and registrars
   employ as an alternative to [I-D.ietf-anima-bootstrapping-keyinfra],
   in which two additional optional objects may be specified.  Three new
   objects are defined:

   1.  A simple binary claim that registrar administrator knows this
       device to belong on the particular deployment network.  This
       object should be conveyed from the registrar to the MASA.

   2.  A cryptographic claim as such.  This would typically be some sort
       of scanned label or information received as part of a bill of
       materials that contains some signed evidence of delivery of the

Lear & Friel             Expires April 23, 2019                 [Page 2]
Internet-Draft             Proof of Posession               October 2018

       end device to the deployment.  This option may be conveyed from
       the register to the MASA, or when the MASA needn't be contacted,
Show full document text