On 1/31/21, 18:24, "COSE on behalf of Carsten Bormann" <[email protected] on behalf of [email protected]> wrote:
> On 31. Jan 2021, at 23:54, Blumenthal, Uri - 0553 - MITLL > <[email protected]> wrote: > > > > I do not get the “re-certify the certificate” part. > > In the Web PKI, the assumption is that every participant knows all root > certificates and updates that set eagerly. > In the IoT world, that doesn’t work. OK, so there's no shared Root CA. Fine. > So people are looking at alternative ways of validating a certificate. It seems obvious that if you do not share the PKI chain, you cannot validate a certificate - and it is unclear why would you want to? > If there is a big brother/little brother relationship, the little brother > may look to the big brother to validate the certificate for it. That's fine. > To relay this validation (let’s call it a voucher), big brother could > create its own certificate out of (or for!) the certificate in question. Creating a "voucher" *for* another cert? So, you send *both* the original cert that is mostly useless (because the recipient cannot validate it), *plus* your validation record? Why not create a new cert, including what's relevant from the original cert being validated? > But it may be more lightweight to protect the voucher as data in an > authenticated connection (say, TLS), or as part of an authenticated object > (say, COSE). How is this different from "big brother" generating a new (light-weight, if needed) certificate, based on its own judgment and what's in the "old" certificate? Thanks
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
