Hi Hannes, Agree. The draft is already referencing RFC 7925, so it could additionally reference Section 12 (https://tools.ietf.org/html/rfc7925#section-12) which explains that randomness is also needed for all DTLS handshakes. What I mention about “being able to trust the randomness level” is then maybe a more psychological requirement rather than technical. A powerful server with RTC just sounds more capable to do private key generation than an IoT device, which is why server-side keygen may be preferred ;)
Esko From: Hannes Tschofenig <hannes.tschofe...@arm.com> Sent: Tuesday, May 14, 2019 18:46 To: Esko Dijk <esko.d...@iotconsultancy.nl>; Panos Kampanakis (pkampana) <pkamp...@cisco.com>; ace@ietf.org Subject: RE: [Ace] EST over CoAP: Randomness Hi Esko, good to hear from you. * Another reason for server-side keygen can be that an IT department/manager wants it that way. There could be a policy that the keypairs for all domain certificates must be created by the systems under direct control of the IT department. (E.g. to comply with other policies or to be able to trust the randomness level. Or just because that was the way it always has been when PCs were provisioned with certificates.) This could be listed as an additional reason. For readers interested in making informed decisions I believe it is worthwhile to point out that they need random number generation capabilities on IoT devices – not just for the private key generation in context of the EST exchange. I fear that some people, including IT managers, just glance over the details and focus on isolated aspects. I am sure you agree with me that this would be a too simplistic view. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
