SEC-2017 -0103 Triggers for MEF Enrolment Exchange Procedures

SEC-2017 -0103 Triggers for MEF Enrolment Exchange Procedures Group Name: WG 4 SEC#29. 2 Source: Wolfgang Granzow, Qualcomm Inc, wgranzow@qti. qualcomm. com Phil Hawkes, Qualcomm Inc, phawkes@qti. qualcomm. com Meeting Date: 2017 -07 -05

Enrolment Exchange in RSPF See clause 8. 3. 1. 2 of TS-0003 • • MEF Client Registration MEF Key Registration Certificate Provisioning Device Configuration 2

Enrolment Exchange Procedure Types Procedure Type Uses Purpose Frequency MEF Client Registration CRUD procedures on defined in TS-0032 Maintaining MEF Client’s registration on MEF A few times per administrating stakeholder MEF Key Registration CRUD procedures on defined in TS-0032 Distribution of symmetric keys via MEF For each new [registration] or [data. Collection] resource Certificate Provisioning EST, SCEP Submitting Certificate Signing Requests (CSRs) with MEF Client signature providing “proof of possession” Initially & on cert expiry Device Configuration DM Procedures defined in TS-0022 – [authenticaton. Profile] for mutual For each new [registration] authentication or [data. Collection] – [trust. Anchor. Cred] for trust anchor CA cert – [MAF/MEFClient. Reg. Cfg] providing MAF/MEF FQDN, Admin stakeholder FQDN, port nums © 2017 one. M 2 M Partners 3

Problems in the current design • Problem 1: Each Enrolment Exchange procedure type starts with a request from the MEF Client. The MEF Client needs to know which procedure it is intended to start with – Sometimes cert provisioning is needed, sometimes not – Cert provisioning, if needed, comes before device configuration • “Off-the-shelf” devices should not have to rely on a preconfigured sequence of procedures – First procedure can be preconfigured – Can’t predict deployment scenarios – Sequence may need to change in real time • Problem 2: Security MO nodes/resources in TS-0022 imply additional processing on MEF Client – See next slide 4

Additional processing for MO nodes Resource/Node SUID Additional processing on MEF Client [authentication “ 1*”: pre-provisioned symmetric key Profile] Associating symm. Key with MO Node by matching symm. Key. ID “ 2*”/” 3*” symm key TS-0032 MAF/MEF Key Registration: establish key. Value established by MEF/MAF and relative. Key. ID, then associate with MO Node “ 4*” Certs [MAFClient. Reg. Cfg]/ [MEFClient. Reg. Cfg] Associated MEF Client Cert with MO Node by matching my. Cert. Fingerprint TS-0032 MAF/MEF Client Registration w/ MAF/MEF (if not already registered) [trust. Anchor. Cred] • • Associate trust Anchor CA cert with MO Node, retrieving cert using HTPP (if not already “on device”) This additional processing is NOT performed by the DM client Need ability for MEF to trigger the additional processing on MEF Client, and receive status back from MEF Client – Not always on “Add” or “Update” of MO node. • This is triggering using “MO_NODE” commands. 5

Communication Model MEF Server EST/ SCEP Server (RA) MEF CA DM Server MEF Client Field MEF Node Client MAF DM Client MAF Client Field Node or IN-CSE Entity A (AE or CSE) 6

Communication Model MEF MO tree example: MAF-based SAEF [registration] MEF Server [authentication. Profile] [MAFClient. Reg. Cfg] DM Server n [MEFClient. Reg. Cfg] Field MEF Node Client EST/ SCEP Server (RA) io at r igu 2 f on 02 C 0 ce TSi ev [authentication. Profile] MEF CA MEF Client MAF D DM Client MAF Client Field Node or IN-CSE Entity A (AE or CSE) 7

Communication Model MEF Server n tio n ra st atio i eg istr R nt Reg ie Cl Key EF EF M 1) 2) M Field MEF Node Client Entity A (AE or CSE) DM Client 3) MAF Client 7) MEF CA EST/ SCEP Server (RA) 5) M EF K ey R DM Server etrie val n io t tra tion is eg stra R i nt Reg ie Cl ey AF F K M A 4) ) M 6 MEF Client MAF 9) MAF Key Retrieval Field Node or IN-CSE 8) MAF-based SAEF or ESPRIM 8

MO tree example: Cert-based SAEF [registration] Communication Model MEF [authentication. Profile] SUID = 42 [trust. Anchor. Cred] MEF Server [MEFClient. Reg. Cfg] n tio n d SUID = 10 (PPSK Kpm) ra o n ist rati ma g Re gist om t C en Re nt i y e l F C Ke Cli E M EF EF 1) ) M 2 3 EST/ SCEP Server (RA) MEF CA DM Server [authentication. Profile] Field MEF Node Client 4) trigger MEF Client MAF DM Client MAF Client Field Node or IN-CSE Entity A (AE or CSE) 9

MEF Client Commands • Concept – Predefine a small set of commands (with variable arguments) – Command issued by the MEF to the MEF Client with a status indication (issued, reissued) – After attempting to parse and execute the command, the MEF Client returns a Status/Result (success, error codes …) – Use OMA-DM approach for transport of cmd and status 1. 2. 3. 4. MEF Client MEF: [TS-0032 request] implicit: “Is there any Command? ” MEF: while command outstanding, proceed to step 3. Else proceed to step 5. MEF Client: [TS-0032 response] command MEF Client MEF: [TS-0032 request] status 5. MEF Client: [TS-0032 rsp] “NO_MORE_COMMANDS” – After processing status, MEF returns to step 2 • MEF Client Command types: – Certificate Provisioning – Device Configuration Session – Confirmation of an MO node 10

Example MEF Client Command procedure 11

Next steps • Agreed on using new resource type for transporting MEF Client Command elements? • If yes – Add new resource type to TS-0032, definition of resource type and CRUD procedures: SEC-2017 -0100 – Define structure, interpretation and datatypes for MEF Client Command elements in TS-0003: SEC-2017 -0069 R 01, SEC-2017 -0095 R 02 – Define XML Schema: SEC: 2017 -0101 – Add text for Certificate Signing Request (CSR) procedure: SEC-2017 - 0105 – Update EST/SCEP descriptions to make use of MEF CLient Commands as triggers (CR to be supplied) – Some alignment of text in RSPF sections 8. 3. 1 and 8. 3. 1. x required (CR to be supplied) 12