stfries
commented
1 year ago moved to BRSKI-PRM
Closed stfries closed 1 year ago
stfries
commented
1 year ago moved to BRSKI-PRM
stfries
commented
1 year ago wrong document, moved to BRSKI-PRM
Proposal from Toerless to justify the sage of agent-signed-data.
BRSKI-PRM enhances the enrollment message flow so that the registrar will cryptographically know which registrar-agent was performing the BRSKI-PRM message passing with the pledge. Network operations may choose not to be interested in which registrar-agent performed this operation. In this case, BRSKI-PRM achieves similar secure enrollment properties as BRSKI, with the difference, that this is not achieved via a secure TLS connection but via forwarding of signed message objects. On the other hand, if the registrar does choose to take the registrar-agent information that is tracked by BRSKI-PRM into account, then this can provide additional security validation that are not achievable in BRSKI through cryptographic means alone.
In one (likely common) example, the registrar-agent is an application on some mobile device (notebook, tablet, phone) of a trusted installer person who first verifies the presence and correct physical installation (location and any other properties) of the pledge before initiating enrollment of the pledge via simple clicks on the registrar-agent-appplication. Later, software on the registrar can therefore take the execution of those physical installation steps as granted because it can verify the identity of the installer/registrar-agent through the BRSKI-PRM agent-signed-data. In contrast, with BRSKI no trusted installer had to be on location (which often may be a benefit), but in return, not only could many aspects of the installation be performed incorrectly and there is no accountability who was responsible for verifying the installation, but it would also easily possible for a pledge to be enrolled that was not even physically present at the location of the BRSKI join-proxy network, but instead the pledge could be in a remote attackers location and only a remote layer 2 bridge would be at the target installation location. While this attack by itself can not be excluded by the mechanisms of BRSKI-PRM alone, the tracking of the registrar-agent allows to create more accountability for verification of the physical installation.
In summary, BRSKI-PRM utilizes the need for support of nomadic network connectivity of a pledge to also support identification of the registrar-agent that was performing the enrollment and therefore allows to tie the cryptographic BRSKI-PRM messaging to other workflows performed during installation as well as allowing for accountability of the pledges installation.