Michael Richardson <mcr+i...@sandelman.ca> wrote:
    > I hoping for some discussion about this comment that I previously
    > responded to, but it probably got buried.

Actually, you did respond on July 20, in an email that I thought to re-read
after pushing send.

In it you said:

mcr> I would never call the Internet PKI "PKIX".
mcr> I'd call it WebPKI, or CAB.
mcr> PKIX is the set of IETF specifications that made X509v3 useful.
mcr> (And why I try never to use "X509"...)
mcr> I couldn't find a reference to private PKI, so maybe I mis-understand.

   doc> This document details protocols and messages to answer the above
   doc> questions.  It uses a TLS connection and an PKIX (X.509v3)
   doc> certificate (an IEEE 802.1AR [IDevID] LDevID) of the pledge to answer
   doc> points 1 and 2.  It uses a new artifact called a "voucher" that the
   doc> [...]
   doc> Pledge authentication and pledge voucher-request signing is via a
   doc> PKIX certificate installed during the manufacturing process.  This is

bk> The comment about private PKI was me making an assumption; I could be
bk> wrong.  But I don't really expect all manufacturers that do this to have
bk> their IDevID signing CA be part of the Internet PKI; I expect them to be
bk> standalone CAs with the root baked into hardware and nothing else that
bk> uses that root.  Does that help clarify?

It helps to clarify where you think I'm referring to the Internet PKI.

I don't think of "PKIX" as referring to the Internet PKI/WebPKI as managed by
the CAB-Forum.  Yes, it will be a private CA 96% of the time.
A 1988 era X509v3 certificate isn't good enough; it has to be the IETF PKIX
WG profile of X509v3.  801.1AR mostly says that.

If you feel that my use of PKIX here is too confusing, I will change it.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     m...@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

Anima mailing list

Reply via email to