Liaison statement
LSout to IETF on “Certificate Management”

1. Overall description:

ETSI ISG NFV has been working on “Certificate Management” and has published the
set of specifications.

Main outcome of works is ETSI GS NFV-IFA 026, “Network Functions Virtualisation
(NFV) Release 5; Management and Orchestration; Security Architecture
enhancements for NFV Specification”, which introduces the main concept,
architecture, use cases, and requirements, and ETSI GS NFV-IFA 033 “Reference
points related to Security Manager and Certificate Management Function
Interface and Information Model Specification”. Version 5.2.1 of ETSI NFV
IFA026/IFA033 are available at the following location:

•
https://www.etsi.org/deliver/etsi_gs/NFV-IFA/001_099/026/05.02.01_60/gs_NFV-IFA026v050201p.pdf
•
https://www.etsi.org/deliver/etsi_gs/NFV-IFA/001_099/033/05.02.01_60/gs_NFV-IFA033v050201p.pdf

ISG NFV is working on ETSI GS NFV-SOL 023, “Specification of protocol and data
model solutions for CMF - NFV-MANO reference point”, that introduces the
protocol and data model solutions for CMF - NFV-MANO reference point by use of
profiling approach against IETF RFC 4210/9480/9483 CMP. One of the options
within IFA026/ IFA033/ SOL023 is the use of the VNFM (VNF Manager) as a
delegate for certificate request/renewal/revocation (delegation mode). The
proof of ownership may not be available and therefore other concepts of
authentication are being investigated. The following questions have been raised.

• Where the transport for CMPv2 is using HTTP (RFC 6712) which itself is
secured using TLS could client certificate-based authentication (mTLS) be used
rather than authentication keys? If so, what exact values would be expected for
the “senderKID” parameter? Or can the client skip or put null according to the
chapter 3.1 of RFC 9483 for senderKID? • As described in ETSI GS
NFV-IFA026/IFA033, the concepts of “Registration” and “De-registration” are
introduced. ETSI NFV would like to ask or confirm that CMPv2 has the
appropriate concept aligning with end entity registration / de-registration or
whether there are any evolution plans to support similar kinds of concepts? •
For the consideration of functions of ACME server (RFC 8555), ETSI NFV has been
discussing if the ACME server can be realized as part of CA functionality or
different functions. ETSI NFV would like to ask for thoughts on this matter and
any background information.

2. Actions:

ETSI ISG NFV kindly asks your organization to:
1) provide technical feedback on what exact values would be expected for the
“senderKID” paramenter when the transport for CMPv2 is using HTTP (RFC 6712).
2) provide technical feedback on whether CMPv2 has the appropriate concept
aligning with end entity registration / de-registration or whether there are
any evolution plans to support similar kinds of concepts. 3) provide technical
feedback on whether the ACME server can be realized as part of CA functionality
or different function. 4) consider the possibility of collaboration on the
harmonized and consolidated certificate related standards among SDOs who are
working e.g. virtualization-platform for telco industry. ETSI ISG NFV aims to
avoid potential overlapping work and fragmentation of the standards in close
area/aspect of the industry.

3. Date of next meetings of the originator:

16-20 June 2025  NFV#50 plenary                         Shanghai, China

In addition, NFV-IFA WG has weekly decision-making conference calls every
Wednesday, NFV-SEC WG has bi-weekly decision-making conference calls every
Thursday, and NFV-SOL WG has weekly decision-making conference calls every
Thursday.