Continuous Assurance Policies
Document Purpose
To outline the logical model needed to support continuous assurance policies.
To identify the key entities and relations
To define the method of expression and the method of communication in order to implement Realtime distributed policy enforcement.
Problem being addressed
How do we securely express and transmit the underlying policy information, implicitly embodied in the documented brksi flows
How do we map these to asynchronously evaluated expressions
This assumes
a. the abstract polices are useful
b. the mappings to BRKSI flows are more or less correct
Entities
For a real-time system for onboarding devices onto a network and managing the full Lifecyle, we can identify the following basic entities
- Network instance: the entity managing a single instance of a network connectivity
- Device instance: a specific instance of a device connecting to a network
- Registrar (BRSKI name): the logical controller of one or more network instances - and the policy enforcement point
We then have the following additional properties
- A network: a logical entity comprising many network instances under the control of a regsitra
- A device manufacturer:
- A device type:
- A device software version/firmware
- A device owner
- A device ownership tree
- A network instance owner
- A network instance owner tree
- A registrar owner
- A registrar owner tree
Entity relationship cardinalities and temporal properties
What does the object model look like?
Network controller
Network owner (tree)
Network manufacture
- Network supply chain
Registrar ( groups of network controllers)
- Registrar owner (tree)
Device
- Device owner (tree)
- Device manufacturer
Policies need reframing in relation to this dynamic object model.
Expression short hand
Using the normal shorthand expression of the form
Relation(entity1@, entity2+) : [signatory-]
Where
- Relation: is the relation holding between one or more entities
- entitiy1@: identifies an entity using an indirect expression - such as a URI
- entitiy1+: identifies an entity using an direct public key reference
- signatory-: identifies the private key of the entity acting as a signatory of the expression
Expression embodiment
The expression can be embodied in many ways
- A standard X509 certificate
- JSON/JOSE structure with proof of possession
- W3C verifiable credential
- CMS
- Signed CBOR
most can be proven to be fundamentally interchangeable with respect to the essential primitives.
Expression communication
If the expression are embodied correctly, the end to end system can work fairly independently of the bearer method. Anthing form HTTPS tot WebSocket to raw TCP to DTLS. Email can potentially be supported The system should support airgapped communication using USB drives
Ideally the expression should include issue date and time to-live attributes (e.g VCs)
Ideally the expression should include issuer URIs, in order that the policy enforcer can request updates directly
Policy mappings
Registrar->Network controller mapping
We will assume the policy decision point is equivalent to the registrar in the BRWSKI flows.
We will assume a single registrar is mapped to multiple network controllers
Owned-by(network-controller+,registrar) : []