On 08/23/2017 11:45 PM, Michael Richardson wrote:
Robert Moskowitz <[email protected]> wrote:
> PEM works. DER does not work. I have been finding problems with
> openssl command line support for DER. Which brings up a question for
> this list:
> What format do you expect to see for:
> draft-ietf-anima-bootstrapping-keyinfra
> PEM or DER?
> PEM supports cert chains, DER does not.
I'm confused by this.
PEM, to me, is base64 encoded DER, probably with the BEGIN CERTIFICATE stuff.
If you are saying that PEM files can contain multiple certs, there are DER
ways to that. TLS just concatenates I believe.
On the openssl-user list, the claim was made that concatinating DER
certs for a cert chain like you do with PEM does not work with
applications. You have to use PKCS#12, but that includes the private
key and is passworded. I should be able to get the pointer to Viktor's
post about this.
Here is where you'd find objects in BRSKI:
1) TLS ClientCertificate.
This should be just the IDevID blob, and in TLS, it's in DER format,
if the Registrar needs anything else in the chain, it must chase them down
itself.
2) TLS ServerCertificate.
https://tools.ietf.org/html/rfc5246#section-7.4.2
Note: PKCS #7 [PKCS7] is not used as the format for the certificate
vector because PKCS #6 [PKCS6] extended certificates are not used.
Also, PKCS #7 defines a SET rather than a SEQUENCE, making the task
of parsing the list more difficult.
3) The plege's Voucher Request may be signed using JOSE (using the IDevID)
The IDevID is not sent, it's the one from ClientCertificate.
4) The registar's Voucher Request may be signed using JOSE, using the
Domain Owner's key. That might not be the same key the Registrar uses
to form the EST connection to the MASA (if the Registrar uses client
authentication at all).
The Domain Owner is within the pinned-domain-cert field.
We define it as being DER binary. In JSON format, that turns into base64
encoded. The reason we go there is that we do not want the
----BEGIN... stuff in there for JSON, in another encoding (CBOR), binary
is just fine.
5) The resulting voucher also uses pinned-domain-cert as well, now signed
by the MASA.
> What format are the various bootstrap objects (eg vouchers)? Has
> anyone built any of these for PoC?
PoC?
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
