Re: [Anima] getting the constrained MASA voucher signing public key to JRC

Mon, 18 Jun 2018 16:38:09 -0700 

Max Pritikin (pritikin) <priti...@cisco.com> wrote:
    mcr>     5) use the existing /voucherrequest, but define the result (when an
    mcr> application/cbor+cose voucher request is presented) to be a multipart
    mcr> result, with the second piece being the public key "bag".


    mcr>     I've been convinced to return a multipart/related.  (I think it's
    mcr> related I want).

actually, probably multipart/mixed is what I want.

    mcr>     This is HTTP not CoAP, to be clear.

NOTE BENE.

    mcr>     The next 6tisch-dtsecurity-zerotouch-join will say;

    mcr>         In order to do this, the MASA MAY return a multipart/related
    mcr> return, within that body, two items SHOULD be returned:

    mcr>         1. An application/voucher-cose+cbor body.  2. An
    mcr> application/pkcs7-mime; smime-type=certs-only, or an
    mcr> application/SOMETHING containing a Raw Public Key.


    > It seems weird to combine the cwt style body with such an unconstrained
    > value such as a pkcs7-smime blob.  Even if it makes sense to use the
    > http layer multipart instead of x5c (unprotected header fields)
    > wouldn’t the more optimized message format make sense?

Just to be clear, x5c is a *CWT* thing, not a COSE thing.
CWT is built on top of COSE... if we were doing constrained voucher as CWT,
then we'd want to use the CWT "iss", "sub", "aud', etc.  which does not map
mechanically from the YANG.

We can still put a value into the unprotected header field as you suggest,
but that means that the JRC either has to pass the kilobyte of certificate on
to the pledge via the constrained channel... or it has to modify the voucher
to remove it.

I did look for an application/cms thing that carried certificates, but I
didn't find anything.

    > I can’t seem to find a definition of multipart (or “related”?) for
    > CoAP. If its handled anything like
    > https://tools.ietf.org/html/rfc2046#section-5.1.1 I’d expect to find it
    > in here https://tools.ietf.org/html/rfc7252#section-12.3 or at
    > 
https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats
    > .  Can you provide a pointer to explain what this would look like?

This is between the Registrar and MASA, which is unconstrained HTTPS, not
CoAP, even in the constrained situation.

--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Reply via email to