From 43f7ccb729373c000296deec8c6612ae1efd5348 Mon Sep 17 00:00:00 2001 From: Brian Sipos Date: Sun, 11 Sep 2022 21:48:53 -0400 Subject: [PATCH] Added asides for different experimental aspects --- .cproject | 110 ++--------------------------- .project | 17 +---- spec/dictionary.txt | 17 +++-- spec/draft-ietf-acme-dtnnodeid.xml | 21 ++++-- 4 files changed, 32 insertions(+), 133 deletions(-) diff --git a/.cproject b/.cproject index a5e587b..c4f16b0 100644 --- a/.cproject +++ b/.cproject @@ -3,128 +3,28 @@ - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/.project b/.project index ffeec27..3122c39 100644 --- a/.project +++ b/.project @@ -5,31 +5,16 @@ - - org.eclipse.cdt.managedbuilder.core.genmakebuilder - clean,full,incremental, - - - org.eclipse.cdt.core.cBuilder clean,full,incremental, - - org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder - full,incremental, - - - - org.eclipse.cdt.cmake.core.cmakeNature - org.python.pydev.pythonNature org.eclipse.cdt.core.cnature org.eclipse.cdt.core.ccnature - org.eclipse.cdt.managedbuilder.core.managedBuildNature - org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + org.eclipse.cdt.cmake.core.cmakeNature diff --git a/spec/dictionary.txt b/spec/dictionary.txt index 443109a..b441987 100644 --- a/spec/dictionary.txt +++ b/spec/dictionary.txt @@ -7,17 +7,19 @@ BCB BCP BP BPbis -BPSec BPSEC +BPSec BPv bstr bundleEID bundleSecurity +CAs CBOR -cddl CDDL +cddl chal correlator +COSE CRC CRLs cryptographic @@ -27,10 +29,10 @@ dereference digitalSignature disambiguating DKIM -dns DNS -dtn +dns DTN +dtn EID extensionRequest FIPS @@ -38,6 +40,7 @@ HTTPS IANA IETF incorrectResponse +interoperable ip ipn JSON @@ -60,8 +63,8 @@ POSTs pre rejectedIdentifier RKF -rtt RTT +rtt SHA SHS SMI @@ -73,10 +76,10 @@ unicast unicode uniformResourceIdentifier untrusted -uri URI +uri URIs url Wireshark xFFFF -XPath +XPath \ No newline at end of file diff --git a/spec/draft-ietf-acme-dtnnodeid.xml b/spec/draft-ietf-acme-dtnnodeid.xml index 89a5444..68cbd0f 100644 --- a/spec/draft-ietf-acme-dtnnodeid.xml +++ b/spec/draft-ietf-acme-dtnnodeid.xml @@ -53,11 +53,11 @@ Once an ACME server validates a Node ID, either as a pre-authorization of the "b Because a single order can contain multiple identifiers of multiple types, there can be operational issues for a client attempting to, and possibly failing to, validate those multiple identifiers as described in . Once a certificate is issued for a Node ID, how the ACME client configures the Bundle Protocol (BP) agent with the new certificate is an implementation matter. - +
Scope @@ -511,7 +511,7 @@ See for additional information on randomness requiremen One pair SHALL consist of key 4 with value of an array containing acceptable hash algorithm identifiers. The array SHALL be ordered in descending preference, with the first item being the most preferred. The array SHALL contain at least one item. -Each algorithim identifier SHALL correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registry of . +Each algorithm identifier SHALL correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registry of . @@ -601,7 +601,7 @@ One pair SHALL consist of key 2 with value of ACME challenge
  • One pair SHALL consist of key 3 with value of a two-element array containing the pair of a hash algorithm identifier and the hash byte string. -The algorithim identifier SHALL correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registry of . +The algorithm identifier SHALL correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registry of .
    • @@ -652,9 +652,15 @@ The lack of a response within the expected response interval, as defined in Multi-Perspective Validation -To avoid possible on-path attacks in certain networks, an ACME server can perform a single validation using multiple challenge bundle sources or via multiple routing paths. +To avoid on-path attacks in certain networks, an ACME server can perform a single validation using multiple challenge bundle sources or via multiple routing paths. This technique is called multi-perspective validation as recommended in and an implementation used by Let's Encrypt is described in . + When required by policy, an ACME server SHALL send multiple challenge bundles from different sources in the DTN network. When multiple Challenge Bundles are sent for a single validation, it is a matter of ACME server policy to determine whether or not the validation as a whole is successful. @@ -678,6 +684,11 @@ In this mechanism a routing node in a DTN sub-network attests to the origination The bundle receiver then need not trust the source of the bundle, but only trust this security source node. The receiver needs policy configuration to know which security sources are permitted to attest for which bundle sources. + An integrity gateway SHALL validate the Source Node ID of a bundle, using local-network-specific means, before adding a BIB to the bundle. The exact means by which an integrity gateway validates a bundle's source is network-specific, but could use physical-layer, network-layer or BP-convergence-layer authentication.