Please see the MoM from the recommended Secure Communication targets for Frankfurt release. Presented proposal and video recording can be seen in attachment.
Attendances had an overall alignment regarding the suggested targets and recommendations to be in place for Frankfurt. Please see summary of suggested Frankfurt targets and affected projects in slide 16.
- Comment was made to also include this material in ONAP readthedocs, either as a new reference security architecture part or included under AAF documentation. Need to discuss with SECCOM for the possibility of introducing a reference security architecture section in release document.
- There were comments regarding current formulation of ONAP security requirements related to certificate handling. These will be revisited in the near future (Samuli).
There are still several aspects to consider for ensuring proper certificate handling capabilities. Other topics to be further discussed:
- As the acquisition of IAK/RV is non-standardized and said to be out-of-band. Suggestion was to first discuss and brainstorm this internally and then call for a community discussion session. We came to the conclusion of having two options:
- Standardize this solution
- Find another technical solution, such as using a certificate already inside ONAP SO/AAF that will be sent to VNF for ensuring CSR protection.
- We all decided to investigate open-source alternatives for CMPv2 server/client implementation. Revisit as suggestions are made to the community.
- Future community targets regarding revocation handling of certificates is of interest. Either by using legacy CRL solutions or online driven such as OSCP. We wanted to hear any targets from AAF, but noone attended this meeting from the project. Revisit
For those of you that did not attend this meeting please review and provide feedback regarding the proposed targets. As the attendances of the meeting had an initial alignment of these targets, please feel free to review over mail. If needed we can have another session.
Best regards,
Hampus
