From bc74ab76a8f760724d2a566176823c0a50e7c1e5 Mon Sep 17 00:00:00 2001 From: Randy Bush Date: Fri, 19 Apr 2019 15:21:31 -0700 Subject: [PATCH] minor tuning after a light russ pass --- draft-ymbk-lsvr-l3dl-signing.xml | 65 +++++++++++++++++--------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/draft-ymbk-lsvr-l3dl-signing.xml b/draft-ymbk-lsvr-l3dl-signing.xml index 534ad21..510e032 100644 --- a/draft-ymbk-lsvr-l3dl-signing.xml +++ b/draft-ymbk-lsvr-l3dl-signing.xml @@ -58,12 +58,11 @@ - The Layer 3 Discovery and Liveness protocol provides for the OPEN - PDU to contain a key which can be used to verify signatures on - subsequent PDUs. This document describes two mechanisms based on - digital signatures, one that is Trust On First Use (TOFU), and one - that uses certificates to provide authentication as well as session - integrity. + The Layer 3 Discovery and Liveness protocol OPEN PDU contains a + key which can be used to verify signatures on subsequent PDUs. This + document describes two mechanisms based on digital signatures, one + that is Trust On First Use (TOFU), and one that uses certificates to + provide authentication as well as session integrity. @@ -84,36 +83,40 @@
The Layer 3 Discovery and Liveness protocol [old ref because new - draft not yet pushed] provides - for the OPEN PDU to contain an algorithm specifier and a key which - can be used to verify signatures on subsequent PDUs. This document - describes two methods of key generation and signing for use by L3DL, - Trust On First Use (TOFU) and a PKI-based mechanism to provide - authentication as well as session integrity. - - To the receiver, the two methods are indistinguishable, the key - provided in the OPEN PDU is used to verify the signatures on the - subsequent PDUs. The difference is how that key is generated. - - In the TOFU method the OPEN key is believed without question and - is used to verify all subsequent PDUs from the same peer with the - same Key Type. - - With the PKI-mechanism, an enrollment step is performed. The - public key and an identifier of the subject are put into a - certificate, which is signed by the trust anchor. In this way, the - relying party can be confident that the public key is under control - of the identified L3DL protocol entity. - - In the PKI method the OPEN key MUST be verified against the trust - anchor for the operational domain. It is then used to verify all - subsequent PDUs from the same peer with the same Key Type. - + draft not yet pushed] OPEN PDU + contains an algorithm specifier and a key which can be used to + verify signatures on subsequent PDUs. This document describes two + methods of key generation and signing for use by L3DL, Trust On + First Use (TOFU) and a PKI-based mechanism to provide authentication + as well as session integrity. + The Key in the OPEN PDU SHOULD be the public key of an asymmetric key pair. The sender signs with the private key, of course. The device sending the OPEN may use one key for all links, a different key for each link, or some aggregation(s) thereof. + In the TOFU method the OPEN key is generated on the sending + device, believed without question by the receiver, and used to + verify all subsequent PDUs from the same sender with the same Key + Type. + + With the PKI-mechanism, an enrollment step is performed. The + public key and an identifier of the subject are put into a + certificate, which is signed by the the operational environment's + trust anchor. In this way, the relying party can be confident that + the public key is under control of the identified L3DL protocol + entity. + + To the receiver verifying signatures on PDUs, the two methods are + indistinguishable; the key provided in the OPEN PDU is used to + verify the signatures of subsequent PDUs. The difference that + PKI-based keys may be verified against the trust anchor when the + OPEN PDU is received. + + In the PKI method the OPEN key MUST be verified against the trust + anchor for the operational domain. It is then used to verify all + subsequent PDUs from the same peer with the same Key Type. +