Here are some notes that I thought could be useful to sharpen how PKCS exchange is documented.
Example exchange C.11. PKCS Exchange shows how certificate provisioning is done with TEAP: https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-13.html#name-c11-pkcs-exchange Section 3.11.1 "Certificate Provisioning within the Tunnel" describes the process: https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-13.html#section-3.11.1 First, section 3.11.1 states that authentication is needed before provisioning, but C.11. does not show any authentication. Should the diagram show phase 1 client certificate authentication or phase 2 tunnelled authentication? Are both valid types of authentication as required by section 3.1.1? Second, C.11. shows that provisioning ends with Crypto-Binding TLV exchange. What is the EMSK and/or MSK used to calculate the TLVs? Is this a case where IMSK is an all-zeroes MSK? Should Section 3.11.1 define these? Third, the draft does not say that PKCS exchange is an inner method. It's not an inner authentication method, but according to example C.11. the exchange ends with Crypto-Binding and Intermediate-Result TLV exchange similarly to inner authentication methods. Would it be possible to clarify the type of PKCS exchange (inner method, something else). Because it appears to be an inner method, also add text to section 3.11. where the use of the two TLV types is required. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu