draft-ietf-acme-dtnnodeid-13.txt | draft-ietf-acme-dtnnodeid-14.txt | |||
---|---|---|---|---|
Automated Certificate Management Environment B. Sipos | Automated Certificate Management Environment B. Sipos | |||
Internet-Draft RKF Engineering | Internet-Draft RKF Engineering | |||
Intended status: Experimental 21 March 2024 | Intended status: Experimental 25 March 2024 | |||
Expires: 22 September 2024 | Expires: 26 September 2024 | |||
Automated Certificate Management Environment (ACME) Delay-Tolerant | Automated Certificate Management Environment (ACME) Delay-Tolerant | |||
Networking (DTN) Node ID Validation Extension | Networking (DTN) Node ID Validation Extension | |||
draft-ietf-acme-dtnnodeid-13 | draft-ietf-acme-dtnnodeid-14 | |||
Abstract | Abstract | |||
This document specifies an extension to the Automated Certificate | This document specifies an extension to the Automated Certificate | |||
Management Environment (ACME) protocol which allows an ACME server to | Management Environment (ACME) protocol which allows an ACME server to | |||
validate the Delay-Tolerant Networking (DTN) Node ID for an ACME | validate the Delay-Tolerant Networking (DTN) Node ID for an ACME | |||
client. A DTN Node ID is an identifier used in the Bundle Protocol | client. A DTN Node ID is an identifier used in the Bundle Protocol | |||
(BP) to name a "singleton endpoint", one which is registered on a | (BP) to name a "singleton endpoint", one which is registered on a | |||
single BP node. The DTN Node ID is encoded as a certificate Subject | single BP node. The DTN Node ID is encoded as a certificate Subject | |||
Alternative Name (SAN) of type otherName with a name form of | Alternative Name (SAN) of type otherName with a name form of | |||
skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 22 September 2024. | This Internet-Draft will expire on 26 September 2024. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
skipping to change at page 22, line 23 ¶ | skipping to change at page 22, line 23 ¶ | |||
in an on-path attacker seeing the tokens from past challenges and/or | in an on-path attacker seeing the tokens from past challenges and/or | |||
responses. | responses. | |||
It is possible for intermediate BP nodes to encapsulate-and-encrypt | It is possible for intermediate BP nodes to encapsulate-and-encrypt | |||
Challenge and/or Response Bundles while they traverse untrusted | Challenge and/or Response Bundles while they traverse untrusted | |||
networks, but that is a DTN configuration matter outside of the scope | networks, but that is a DTN configuration matter outside of the scope | |||
of this document. | of this document. | |||
7.2. Threat: BP Node Impersonation | 7.2. Threat: BP Node Impersonation | |||
As described in Section 8.1 of [RFC8555], it is possible for an | As described in Section 10.1 of [RFC8555], it is possible for an | |||
active attacker to alter data on both ACME client channel and the DTN | active attacker to alter data on both ACME client channel and the DTN | |||
validation channel. | validation channel. | |||
The primary mitigation is to delegate bundle integrity sourcing to a | The primary mitigation is to delegate bundle integrity sourcing to a | |||
trusted routing node near, in the sense of bundle routing topology, | trusted routing node near, in the sense of bundle routing topology, | |||
to the bundle source node as defined in Section 4. This is | to the bundle source node as defined in Section 4. This is | |||
functionally similar to DKIM signing of [RFC6376] and provides some | functionally similar to DKIM signing of [RFC6376] and provides some | |||
level of bundle origination. | level of bundle origination. | |||
Another way to mitigate single-path on-path attacks is to attempt | Another way to mitigate single-path on-path attacks is to attempt | |||
End of changes. 4 change blocks. | ||||
5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |