Fries, Steffen <[email protected]> wrote: > There was a question regarding the benefits on Full CMC (PKI) Request > support in EST from Michael. One of the benefits of the Full CMC > request is that it provides a way to bind the entity identification and > authentication to the certification request. This can be achieved by an > additional signature over the certification request with the IDevID EE > cert of a pledge. The result is what we called in the draft a > self-contained object with two signatures, one with the private key > corresponding to the contained public key in the CSR, the second with > the private key, which's corresponding certificate can be validated. > Maybe the term is misleading as the CSR is also self-contained. So we > may need to fine a better term.
okay. I need to re-read things to better understand.
> Having this type of self-contained object comes with some advantages:
> - It removes the strict binding of the certification request with the
> pledge authentication in TLS using the tls-unique value in the CSR
> during the EST run. This is especially interesting for scenarios, in
> which the registrar (EST server) acts as LRA and has (temporarily) no
> connection to the issuing RA/CA. If it needs to store the CSR and
> forward it later on for further processing to the RA/CA, the
> information about the identity and authentication is not directly bound
> to the CSR and would require other mechanisms.
> - For the "no soup case - come back later" case (Eliot, I just borrowed
> your analogy) it provides the advantage, if the tls-unique parameter
> is used in the CSR (BRSKI is open to this) to bind the CSR to a
> specific TLS connection. If the TLS connection between the pledge and
> the registrar was teared down, EST (in simple enroll/reenroll) requires
> to resent the CSR, which would require to include a new tls-unique
> number, which in turn would require rebuilding the CSR (also described
> in RFC 7030, section 4.2.3).
I agree that this is a good feature.
Can you tell us more about how you'd use it?
My next question would be, given that some would like CMP rather than EST as
an option, and it appears that LAMPS may do a minimal profile of CMP, maybe
that would suit you better for these disconnected uses rather than fullcmc.
Regardless, how would one discover and signal the use of fullcmc or CMP?
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
