Hi all, For cBRSKI I've created a new PR: https://github.com/anima-wg/constrained-voucher/pull/325
This proposes to change the way that certificate chains are carried in the RVR and Voucher. It addresses the following needs: 1. We want the equivalent of certificate chains as carried in CMS signing envelope on the unconstrained network path 2. We don't want these lengthy certificate chains carried on the constrained network path (by default), to save bytes/time. 3. We'd like MASA to be able to sign a voucher with an arbitrary certificate chain, or self-signed CA, or a raw public/private keypair. 4. Registrar should be able to easily retrieve MASA's signing method/chain, whatever it was. 5. MASA should be able to easily retrieve Registrar's signing method/chain, even if it differs from its TLS client cert chain. 6. Re-use already-standardized COSE methods (all from RFC 9360) As a solution the "x5chain" attribute from RFC 9360 is now used to carry a certificate / chain that was used for signing. And a Registrar that receives a Voucher with an unprotected x5chain in it, removes that chain before passing the voucher on to the Pledge. (This chain when unprotected is only needed for "FYI" or logging/validation consumption by the Registrar - not for the Pledge.) Feedback is welcome of course! regards Esko
_______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
