Thanks, Michael! That is also my understanding.
On Mon, Oct 12, 2020 at 11:32 PM Michael Richardson <[email protected]> wrote: > > Martin Duke <[email protected]> wrote: > > Your proposed sentence is an improvement, but I'm not sure how it > combines > > with the earlier sentence "It is not necessarily expected that > constrained > > devices themselves will evaluate and process of X.509 certificates". > Is > > "evaluate and process" a different action than "validating" it? > > Validating is a well defined, complex process (RFC6125, etc.) involving > path validation, etc. > Evaluate might mean something less, such as extracting the public key and > comparing against some known value. We don't expect any of that. > > > Or is the suggestion here that the constrained device is given a > > certificate to authenticate itself that it does not bother to > verify, but > > hosts that connect to it *would* validate the certificate? > > Yes, generally, that is what a lot of us have in mind. > > The constrained device has a credential, if in the form of an IDevID or > LDevID certificate, then it would use this specification to places it into > the COSE object as a blob. > > It has the private key side in a format that is more convenient for > processing (perhaps even in a secure enclave of some kind) which it uses to > sign. > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide >
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
