Tech-invite 3GPPspace IETFspace

21 22 23 24 25 26 27 28 29 31 32 33 34 35 36 37 38 4‑5x

Content for TR 33.776 Word version: 19.0.0

0… 5…

5 Key issues p. 10

5.1 Key issue #1: ACME initial trust framework p. 10

5.1.1 Key issue details p. 10

5.1.2 Security threats p. 10

5.1.3 Potential security requirements p. 10

5.2 Key issue #2: Secure transport of messages p. 10

5.2.1 Key issue details p. 10

5.2.2 Security threats p. 10

5.2.3 Potential security requirements p. 10

5.3 Key issue #3: Aspects of challenge validation p. 10

5.3.1 Key issue details p. 10

5.3.2 Security threats p. 11

5.3.3 Potential security requirements p. 11

5.4 Key issue #4: Certificate enrolment p. 11

5.4.1 Key issue details p. 11

5.4.2 Security threats p. 11

5.4.3 Potential security requirements p. 11

5.5 Key issue #5: Certificate renewal p. 12

5.5.1 Key issue details p. 12

5.5.2 Security threats p. 12

5.5.3 Potential security requirements p. 12

5.6 Key Issue #6: Certificate revocation p. 12

5.6.1 Key issue details p. 12

5.6.2 Security threats p. 12

5.6.3 Potential security requirements p. 12

5.7 Key issue #7: Supporting all 5G SBA certificate types p. 12

5.7.1 Key issue details p. 12

5.7.2 Security threats p. 13

5.7.3 Potential security requirements p. 13

6 Solutions p. 13

6.0 Mapping of solutions to key issues p. 13

6.1 Solution #1: Using NF FQDN as ACME identifier p. 13

6.1.1 Introduction p. 13

6.1.2 Solution Details p. 13

6.1.2.1 Procedure p. 14

6.1.3 Evaluations p. 15

6.2 Solution #2: Automated validation of certificate signing requests for network functions p. 15

6.2.1 Introduction p. 15

6.2.2 Solution details p. 16

6.2.2.1 Initial trust p. 16

6.2.2.2 New identifier type p. 17

6.2.2.3 Certificate issuance p. 17

6.2.2.4 NF Certificate Authority Token p. 20

6.2.2.5 Validation of NF Certificate Authority Token p. 21

6.2.2.6 Use of JSON Web Signature p. 21

6.2.3 Evaluation p. 22

6.3 Solution #3: Using NF instance ID as ACME identifier p. 22

6.3.1 Introduction p. 22

6.3.2 Solution details p. 22

6.3.2.1 Initial trust p. 23

6.3.2.2 Procedure p. 23

6.3.3 Evaluation p. 24

6.4 Solution #4: Reuse solution about policy-based certificate renewal p. 24

6.4.1 Introduction p. 24

6.4.2 Solution details p. 24

6.4.3 Evaluation p. 24

6.5 Solution #5: Using ACME protocol for certificate enrolment p. 25

6.5.1 Introduction p. 25

6.5.2 Solution details p. 25

6.5.2.1 Initial Trust p. 25

6.5.2.2 Certificate enrolment p. 25

6.5.3 Evaluation p. 27

6.6 Solution #6: ACME automated revocation of certificates p. 27

6.6.1 Introduction p. 27

6.6.2 Solution Details p. 27

6.6.3 Evaluation p. 28

6.7 Solution #7: Using ACME protocol for secure transport of messages p. 29

6.7.1 Introduction p. 29

6.7.2 Solution details p. 29

6.7.3 Evaluation p. 29

6.8 Solution #8: Supporting all 5G SBA certificate types p. 29

6.8.1 Introduction p. 29

6.8.2 Solution details p. 29

6.8.3 Evaluation p. 30

6.9 Solution #9: Using ACME protocol for certificate renewal p. 30

6.9.1 Introduction p. 30

6.9.2 Solution details p. 31

6.9.3 Evaluation p. 31

6.10 Solution #10: ACME account key initial trust establishment p. 32

6.10.1 Introduction p. 32

6.10.2 Solution details p. 32

6.10.3 Evaluation p. 33

7 Conclusions p. 33

7.1 General principles applicable to all KIs p. 33

7.2 Key issue #1: ACME initial trust framework p. 33

7.2.1 Analysis p. 33

7.2.2 Conclusion p. 33

7.3 Key issue #2: Using ACME Secure Transport of Messages p. 34

7.3.1 Analysis p. 34

7.3.2 Conclusion p. 34

7.4 Key issue #3: Aspects of challenge validation p. 34

7.4.1 Analysis p. 34

7.4.2 Conclusion p. 34

7.5 Key issue #4: Certificate enrolment p. 34

7.5.1 Analysis p. 34

7.5.2 Conclusion p. 34

7.6 Key issue #5: Certificate renewal p. 35

7.6.1 Analysis p. 35

7.6.2 Conclusion p. 35

7.7 Key issue #6: Certificate revocation p. 35

7.7.1 Analysis p. 35

7.7.2 Conclusion p. 35

7.8 Key issue #7: Supporting all 5G SBA certificate types p. 35

7.8.1 Analysis p. 35

7.8.2 Conclusion p. 35

$ Change history p. 36