| draft-ietf-acme-dtnnodeid-13.txt | draft-ietf-acme-dtnnodeid-14.txt | |||
|---|---|---|---|---|
| Automated Certificate Management Environment B. Sipos | Automated Certificate Management Environment B. Sipos | |||
| Internet-Draft RKF Engineering | Internet-Draft RKF Engineering | |||
| Intended status: Experimental 21 March 2024 | Intended status: Experimental 25 March 2024 | |||
| Expires: 22 September 2024 | Expires: 26 September 2024 | |||
| Automated Certificate Management Environment (ACME) Delay-Tolerant | Automated Certificate Management Environment (ACME) Delay-Tolerant | |||
| Networking (DTN) Node ID Validation Extension | Networking (DTN) Node ID Validation Extension | |||
| draft-ietf-acme-dtnnodeid-13 | draft-ietf-acme-dtnnodeid-14 | |||
| Abstract | Abstract | |||
| This document specifies an extension to the Automated Certificate | This document specifies an extension to the Automated Certificate | |||
| Management Environment (ACME) protocol which allows an ACME server to | Management Environment (ACME) protocol which allows an ACME server to | |||
| validate the Delay-Tolerant Networking (DTN) Node ID for an ACME | validate the Delay-Tolerant Networking (DTN) Node ID for an ACME | |||
| client. A DTN Node ID is an identifier used in the Bundle Protocol | client. A DTN Node ID is an identifier used in the Bundle Protocol | |||
| (BP) to name a "singleton endpoint", one which is registered on a | (BP) to name a "singleton endpoint", one which is registered on a | |||
| single BP node. The DTN Node ID is encoded as a certificate Subject | single BP node. The DTN Node ID is encoded as a certificate Subject | |||
| Alternative Name (SAN) of type otherName with a name form of | Alternative Name (SAN) of type otherName with a name form of | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 22 September 2024. | This Internet-Draft will expire on 26 September 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 22, line 23 ¶ | skipping to change at page 22, line 23 ¶ | |||
| in an on-path attacker seeing the tokens from past challenges and/or | in an on-path attacker seeing the tokens from past challenges and/or | |||
| responses. | responses. | |||
| It is possible for intermediate BP nodes to encapsulate-and-encrypt | It is possible for intermediate BP nodes to encapsulate-and-encrypt | |||
| Challenge and/or Response Bundles while they traverse untrusted | Challenge and/or Response Bundles while they traverse untrusted | |||
| networks, but that is a DTN configuration matter outside of the scope | networks, but that is a DTN configuration matter outside of the scope | |||
| of this document. | of this document. | |||
| 7.2. Threat: BP Node Impersonation | 7.2. Threat: BP Node Impersonation | |||
| As described in Section 8.1 of [RFC8555], it is possible for an | As described in Section 10.1 of [RFC8555], it is possible for an | |||
| active attacker to alter data on both ACME client channel and the DTN | active attacker to alter data on both ACME client channel and the DTN | |||
| validation channel. | validation channel. | |||
| The primary mitigation is to delegate bundle integrity sourcing to a | The primary mitigation is to delegate bundle integrity sourcing to a | |||
| trusted routing node near, in the sense of bundle routing topology, | trusted routing node near, in the sense of bundle routing topology, | |||
| to the bundle source node as defined in Section 4. This is | to the bundle source node as defined in Section 4. This is | |||
| functionally similar to DKIM signing of [RFC6376] and provides some | functionally similar to DKIM signing of [RFC6376] and provides some | |||
| level of bundle origination. | level of bundle origination. | |||
| Another way to mitigate single-path on-path attacks is to attempt | Another way to mitigate single-path on-path attacks is to attempt | |||
| End of changes. 4 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||