Kent Watsen <[email protected]> wrote: > S6 in the voucher draft says:
> The PKCS#7 structure SHOULD also contain all the certificates leading
> up to and including the signer's trust anchor certificate known to
> the recipient.
Agreed.
And the MASA should know exactly what that list is for each device.
> and S5.4 in the NETCONF zerotouch draft says:
> The device MUST first authenticate the ownership voucher by
> validating the signature on it to one of its preconfigured trust
> anchors (see Section 5.1).
> Perhaps it should add "using any addiiotional intermediate certificates
> stapled to the voucher"?
It would be worth saying:
"It may need to use additional intermediate certificates included
with the signature artifact (such as PKCS7 SignerData certificates)"
> I like a chain more than a single cert as well. I'm ambivalent to the
> TA cert being provided, but I'm okay with it if it alignd better with
> x5c.
I think it's useful for intermediary auditing if the TA cert is included,
(and ignored by the pledge). We have an existing situation with WebPKI where
some browsers complain if any TA is passed down. During the SHA1->SHA256
switch over for intermediate CAs, it was sometimes necessary to pass
extra things that the browsers' would eventually have built-in.
> Wah? First, we can't assume the 1st cert is the one you want. In ASN.1
> parlance, it is a SET (not a SEQUENCE). Next, my code [1] validated the
> voucher's signature first - I don't understand the need to be
> out-of-order
> here. Last, yes, you can access the contents without verification using
> the smime -noverify flag.
I agree, I shouldn't be assuming it's the first certificate.
I'm going in via API, not CLI.
And btw, the noverify flag in the API still checks that the content is signed
by the provided certificate, it just doesn't check that the certificate is
valid.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
