From b88055328faae1f3b5a2adfb87b220ca1d27c0c5 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Tue, 20 Feb 2024 18:03:57 -0500 Subject: [PATCH 1/6] proposed text from errata 6648 --- dtbootstrap-anima-keyinfra.xml | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index 7d2557d..ba81c8f 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1738,12 +1738,23 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> Use of TLS 1.3 (or newer) is encouraged. - TLS 1.2 or newer is REQUIRED on the Pledge side. - TLS 1.3 (or newer) SHOULD be available on the Registrar server interface, - and the Registrar client interface, but TLS 1.2 MAY be used. - TLS 1.3 (or newer) SHOULD be available on the MASA server interface, but TLS - 1.2 MAY be used. + TLS 1.2 or newer is REQUIRED on the pledge side. + TLS 1.3 (or newer) SHOULD be available on the registrar server + interface, and the registrar client interface, but TLS 1.2 MAY + be used. + When TLS 1.3 is used the use of Server Name Indicator (SNI, + ) is not required, per section 9.2, this + specification is an application profile specification. + + + A pledge connects to the Registrar using only an IP address and it will + not have any idea of a correct SNI value. + This also implies that the Registrar interface may not be virtual + hosted using SNI. + + Establishment of the BRSKI-EST TLS connection is as specified in EST section 4.1.1 "Bootstrap From c887ece12fd5243cf38cea3cbbda417b6e5637c2 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Wed, 21 Feb 2024 12:16:18 -0500 Subject: [PATCH 2/6] fix typo Co-authored-by: Esko Dijk --- dtbootstrap-anima-keyinfra.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index ba81c8f..268dc2d 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1742,7 +1742,7 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> TLS 1.3 (or newer) SHOULD be available on the registrar server interface, and the registrar client interface, but TLS 1.2 MAY be used. - When TLS 1.3 is used the use of Server Name Indicator (SNI, + When TLS 1.3 is used the use of Server Name Indication (SNI, ) is not required, per section 9.2, this specification is an application profile specification. From 987e41d387675803cc49bab37fce9ef6874c818f Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Wed, 21 Feb 2024 12:16:54 -0500 Subject: [PATCH 3/6] add missing word Co-authored-by: Esko Dijk --- dtbootstrap-anima-keyinfra.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index 268dc2d..b8a24da 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1744,7 +1744,7 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> be used. When TLS 1.3 is used the use of Server Name Indication (SNI, ) is not required, per section 9.2, this + target="RFC8446" /> section 9.2, as this specification is an application profile specification. From dce7ccf6cbaca4ac1dabde3cdec1e80c16772f33 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Wed, 21 Feb 2024 12:17:03 -0500 Subject: [PATCH 4/6] upcase Registrar Co-authored-by: Esko Dijk --- dtbootstrap-anima-keyinfra.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index b8a24da..64e6504 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1749,7 +1749,7 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> - A pledge connects to the Registrar using only an IP address and it will + A pledge connects to the registrar using only an IP address and it will not have any idea of a correct SNI value. This also implies that the Registrar interface may not be virtual hosted using SNI. From 815339e24cec7317161f7b4a1c62a90ca5213791 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Wed, 21 Feb 2024 12:17:13 -0500 Subject: [PATCH 5/6] upcase registrar Co-authored-by: Esko Dijk --- dtbootstrap-anima-keyinfra.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index 64e6504..de81e9f 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1751,7 +1751,7 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> A pledge connects to the registrar using only an IP address and it will not have any idea of a correct SNI value. - This also implies that the Registrar interface may not be virtual + This also implies that the registrar interface MUST NOT be virtual- hosted using SNI. From 09521c71b9b2d9834a2d3335596917df1ac6504d Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Wed, 21 Feb 2024 12:17:32 -0500 Subject: [PATCH 6/6] clarify SNI non-use Co-authored-by: Esko Dijk --- dtbootstrap-anima-keyinfra.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml index de81e9f..860b5d5 100644 --- a/dtbootstrap-anima-keyinfra.xml +++ b/dtbootstrap-anima-keyinfra.xml @@ -1752,7 +1752,7 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]> A pledge connects to the registrar using only an IP address and it will not have any idea of a correct SNI value. This also implies that the registrar interface MUST NOT be virtual- - hosted using SNI. + hosted in such a way that it depends on the SNI being present.