TR 33.776
Study of Automatic Certificate Management Environment (ACME)
for the Service Based Architecture (SBA)

3GPP‑Page fToC_↓ Partial Content _→

V19.0.0 (Wzip) 2024/12 36 p.

Rapporteur:: Mr. Eckel, Charles
Cisco Systems Belgium

full Table of Contents for TR 33.776 Word version: 19.0.0

each clause number in 'red' refers to the equivalent title in the Partial Content

Introduction p. 7

Scope p. 8

References p. 8

Definitions of terms, symbols and abbreviations p. 9

3.1	Terms p. 9
3.2	Symbols p. 9
3.3	Abbreviations p. 9

Assumptions p. 10

Key issues p. 10

5.1

Key issue #1: ACME initial trust framework p. 10

5.1.1	Key issue details p. 10
5.1.2	Security threats p. 10
5.1.3	Potential security requirements p. 10

5.2

Key issue #2: Secure transport of messages p. 10

5.2.1	Key issue details p. 10
5.2.2	Security threats p. 10
5.2.3	Potential security requirements p. 10

5.3

Key issue #3: Aspects of challenge validation p. 10

5.3.1	Key issue details p. 10
5.3.2	Security threats p. 11
5.3.3	Potential security requirements p. 11

5.4

Key issue #4: Certificate enrolment p. 11

5.4.1	Key issue details p. 11
5.4.2	Security threats p. 11
5.4.3	Potential security requirements p. 11

5.5

Key issue #5: Certificate renewal p. 12

5.5.1	Key issue details p. 12
5.5.2	Security threats p. 12
5.5.3	Potential security requirements p. 12

5.6

Key Issue #6: Certificate revocation p. 12

5.6.1	Key issue details p. 12
5.6.2	Security threats p. 12
5.6.3	Potential security requirements p. 12

5.7

Key issue #7: Supporting all 5G SBA certificate types p. 12

5.7.1	Key issue details p. 12
5.7.2	Security threats p. 13
5.7.3	Potential security requirements p. 13

Solutions p. 13

6.0

Mapping of solutions to key issues p. 13

6.1

Solution #1: Using NF FQDN as ACME identifier p. 13

6.1.1

Introduction p. 13

6.1.2

Solution Details p. 13

6.1.2.1

Procedure p. 14

6.1.3

Evaluations p. 15

6.2

Solution #2: Automated validation of certificate signing requests for network functions p. 15

6.2.1

Introduction p. 15

6.2.2

Solution details p. 16

6.2.2.1	Initial trust p. 16
6.2.2.2	New identifier type p. 17
6.2.2.3	Certificate issuance p. 17
6.2.2.4	NF Certificate Authority Token p. 20
6.2.2.5	Validation of NF Certificate Authority Token p. 21
6.2.2.6	Use of JSON Web Signature p. 21

6.2.3

Evaluation p. 22

6.3

Solution #3: Using NF instance ID as ACME identifier p. 22

6.3.1

Introduction p. 22

6.3.2

Solution details p. 22

6.3.2.1	Initial trust p. 23
6.3.2.2	Procedure p. 23

6.3.3

Evaluation p. 24

6.4

Solution #4: Reuse solution about policy-based certificate renewal p. 24

6.4.1	Introduction p. 24
6.4.2	Solution details p. 24
6.4.3	Evaluation p. 24

6.5

Solution #5: Using ACME protocol for certificate enrolment p. 25

6.5.1

Introduction p. 25

6.5.2

Solution details p. 25

6.5.2.1	Initial Trust p. 25
6.5.2.2	Certificate enrolment p. 25

6.5.3

Evaluation p. 27

6.6

Solution #6: ACME automated revocation of certificates p. 27

6.6.1	Introduction p. 27
6.6.2	Solution Details p. 27
6.6.3	Evaluation p. 28

6.7

Solution #7: Using ACME protocol for secure transport of messages p. 29

6.7.1	Introduction p. 29
6.7.2	Solution details p. 29
6.7.3	Evaluation p. 29

6.8

Solution #8: Supporting all 5G SBA certificate types p. 29

6.8.1	Introduction p. 29
6.8.2	Solution details p. 29
6.8.3	Evaluation p. 30

6.9

Solution #9: Using ACME protocol for certificate renewal p. 30

6.9.1	Introduction p. 30
6.9.2	Solution details p. 31
6.9.3	Evaluation p. 31

6.10

Solution #10: ACME account key initial trust establishment p. 32

6.10.1	Introduction p. 32
6.10.2	Solution details p. 32
6.10.3	Evaluation p. 33

Conclusions p. 33

7.1

General principles applicable to all KIs p. 33

7.2

Key issue #1: ACME initial trust framework p. 33

7.2.1	Analysis p. 33
7.2.2	Conclusion p. 33

7.3

Key issue #2: Using ACME Secure Transport of Messages p. 34

7.3.1	Analysis p. 34
7.3.2	Conclusion p. 34

7.4

Key issue #3: Aspects of challenge validation p. 34

7.4.1	Analysis p. 34
7.4.2	Conclusion p. 34

7.5

Key issue #4: Certificate enrolment p. 34

7.5.1	Analysis p. 34
7.5.2	Conclusion p. 34

7.6

Key issue #5: Certificate renewal p. 35

7.6.1	Analysis p. 35
7.6.2	Conclusion p. 35

7.7

Key issue #6: Certificate revocation p. 35

7.7.1	Analysis p. 35
7.7.2	Conclusion p. 35

7.8

Key issue #7: Supporting all 5G SBA certificate types p. 35

7.8.1	Analysis p. 35
7.8.2	Conclusion p. 35

Change history p. 36

TR 33.776 Study of Automatic Certificate Management Environment (ACME) for the Service Based Architecture (SBA)

full Table of Contents for TR 33.776 Word version: 19.0.0

TR 33.776
Study of Automatic Certificate Management Environment (ACME)
for the Service Based Architecture (SBA)