Deb Cooley has entered the following ballot position for draft-ietf-anima-brski-ae-12: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- While this draft clearly outlines the requirements for proof of possession and integrity/authentication of the pledge, I did not see any discussion on integrity/authentication of the RA/CA. How can the pledge determine if it is requesting certificates (either its own or CA) from the proper RA/CA? One of the advantages of EST is that the pledge can verify the EST server certificate, and an on-path attack is harder when there is an adequate TLS session. Is that the case with CMP (or SCEP)? If so, either point me to where that is documented or add a couple of sentences on how that is done. If not, please add a section to the Security Considerations. _______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
