Martin Duke <[email protected]> wrote: > Your proposed sentence is an improvement, but I'm not sure how it combines > with the earlier sentence "It is not necessarily expected that constrained > devices themselves will evaluate and process of X.509 certificates". Is > "evaluate and process" a different action than "validating" it?
Validating is a well defined, complex process (RFC6125, etc.) involving path
validation, etc.
Evaluate might mean something less, such as extracting the public key and
comparing against some known value. We don't expect any of that.
> Or is the suggestion here that the constrained device is given a
> certificate to authenticate itself that it does not bother to verify, but
> hosts that connect to it *would* validate the certificate?
Yes, generally, that is what a lot of us have in mind.
The constrained device has a credential, if in the form of an IDevID or
LDevID certificate, then it would use this specification to places it into
the COSE object as a blob.
It has the private key side in a format that is more convenient for
processing (perhaps even in a secure enclave of some kind) which it uses to
sign.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
