randy/draft-l3dl-signing
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

minor tuning after a light russ pass

Browse source
This commit is contained in:
Randy Bush 2019-04-19 15:21:31 -07:00
parent a33b485227
commit bc74ab76a8
1 changed files with 34 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

63
draft-ymbk-lsvr-l3dl-signing.xml
View file

@ -58,12 +58,11 @@
<abstract>
<t>The Layer 3 Discovery and Liveness protocol provides for the OPEN
PDU to contain a key which can be used to verify signatures on
subsequent PDUs. This document describes two mechanisms based on
digital signatures, one that is Trust On First Use (TOFU), and one
that uses certificates to provide authentication as well as session
integrity.</t>
<t>The Layer 3 Discovery and Liveness protocol OPEN PDU contains a
key which can be used to verify signatures on subsequent PDUs. This
document describes two mechanisms based on digital signatures, one
that is Trust On First Use (TOFU), and one that uses certificates to
provide authentication as well as session integrity.</t>
</abstract>
@ -84,36 +83,40 @@
<section anchor="intro" title="Introduction">
<t>The Layer 3 Discovery and Liveness protocol [old ref because new
draft not yet pushed] <xref target="I-D.ietf-lsvr-lsoe"/> provides
for the OPEN PDU to contain an algorithm specifier and a key which
can be used to verify signatures on subsequent PDUs. This document
describes two methods of key generation and signing for use by L3DL,
Trust On First Use (TOFU) and a PKI-based mechanism to provide
authentication as well as session integrity.</t>
<t>To the receiver, the two methods are indistinguishable, the key
provided in the OPEN PDU is used to verify the signatures on the
subsequent PDUs. The difference is how that key is generated.</t>
<t>In the TOFU method the OPEN key is believed without question and
is used to verify all subsequent PDUs from the same peer with the
same Key Type.</t>
<t>With the PKI-mechanism, an enrollment step is performed. The
public key and an identifier of the subject are put into a
certificate, which is signed by the trust anchor. In this way, the
relying party can be confident that the public key is under control
of the identified L3DL protocol entity.</t>
<t>In the PKI method the OPEN key MUST be verified against the trust
anchor for the operational domain. It is then used to verify all
subsequent PDUs from the same peer with the same Key Type.</t>
draft not yet pushed] <xref target="I-D.ietf-lsvr-lsoe"/> OPEN PDU
contains an algorithm specifier and a key which can be used to
verify signatures on subsequent PDUs. This document describes two
methods of key generation and signing for use by L3DL, Trust On
First Use (TOFU) and a PKI-based mechanism to provide authentication
as well as session integrity.</t>
<t>The Key in the OPEN PDU SHOULD be the public key of an asymmetric
key pair. The sender signs with the private key, of course. The
device sending the OPEN may use one key for all links, a different
key for each link, or some aggregation(s) thereof.</t>
<t>In the TOFU method the OPEN key is generated on the sending
device, believed without question by the receiver, and used to
verify all subsequent PDUs from the same sender with the same Key
Type.</t>
<t>With the PKI-mechanism, an enrollment step is performed. The
public key and an identifier of the subject are put into a
certificate, which is signed by the the operational environment's
trust anchor. In this way, the relying party can be confident that
the public key is under control of the identified L3DL protocol
entity.</t>
<t>To the receiver verifying signatures on PDUs, the two methods are
indistinguishable; the key provided in the OPEN PDU is used to
verify the signatures of subsequent PDUs. The difference that
PKI-based keys may be verified against the trust anchor when the
OPEN PDU is received.</t>
<t>In the PKI method the OPEN key MUST be verified against the trust
anchor for the operational domain. It is then used to verify all
subsequent PDUs from the same peer with the same Key Type.</t>
</section>
<section anchor="tofu" title="Trust On First Use Method">