Hello,
The tunneled method draft has TLVs to pass a "Server Trusted Root"
certificate chain from the server to the peer and also to pass a
certs-only PKCS#7 package from the server to the peer.
The latter is the 2nd half of the "simple PKI" request/response as
described in RFC 5272. So it kind of begs the question, where's the 1st
half? Where is the PKCS#10 package that the peer sends the server?
So I propose fixing this omission by adding a new TLV for PKCS#10
certificate signing request. Something along the lines of:
4.2.X Certificate Signing Request TLV
The Certificate Signing Request TLV is used by the peer to initiate
the "simple PKI" Request/Response from [RFC 5272]. The format of
the request is as specified in Section 6.4 of [RFC4945].
The Certificate Signing Request TLV is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ PKCS#10 ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
0 (Optional)
R
Reserved, set to zero (0)
TLV Type
TBD for Certificate Signing Request TLV
Length
variable
PKCS#10
the Certificate Signing Request
regards,
Dan.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
