Hi Michael, Please see inline.
> -----Original Message----- > From: Anima [mailto:anima-boun...@ietf.org] On Behalf Of Michael > Richardson > Sent: Tuesday, March 10, 2020 12:09 AM > To: anima@ietf.org; Xialiang (Frank, Network Standard & Patent Dept) > <frank.xiali...@huawei.com> > Subject: Re: [Anima] My comments about > draft-richardson-anima-masa-considerations-02: > > > pg 4: > > A serial number for the device can be assigned and placed into a > > > > comment: > > Is it appropriate to assign the serial number to device, since device > has > > already had its own SN? > > This is device has a single serial number. > The point is that a device may not yet have a serial number, and it is > possible > to assign the serial number during this process. Or perhaps more to the > point, the manufacturer step that a serial number is assigned, is the right > time to deploy the private key. > [Wei] I think what needs to be explained is the distinct characteristics of the serial number for the device. Maybe how it is assigned is not important, but other aspects, such as what it is used for, are important. So the readers can match the specific thing in their implementation with the serial number you mean. > > > pg 5: > > Ongoing access to the root-CA is important, but not as critical as > > access to the MASA key. > > > > comment: > > MASA key is not relevant with the IDevID three-tier PKI > > infrastructure. So, does this sentence make sense here? > > This comment is about relative levels of access to the private keys. > The key that the MASA uses to sign vouchers *needs* to be online. > The root-CA for the IDevID PKI can be offline, locked in a vault (and > guarded by Godzilla if you like). > [Wei] Two comments: 1) Why ongoing access to the root CA is important? In the document it is said the root-CA private key should be kept offline, so how to ongoing access to the root-CA? 2) This sentence seems inappropriate in this section. This section and the upper-level section is talking about the device's IDevID. Suddenly mentioning the MASA key doesn't make sense. Regards & Thanks! Wei Pan _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
