On 28.08.23 20:10, Heikki Vatiainen wrote:
Here are some notes that I thought could be useful to sharpen how PKCS exchange is documented.Example exchange C.11. PKCS Exchange shows how certificate provisioning is done with TEAP:https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-13.html#name-c11-pkcs-exchangeSection 3.11.1 "Certificate Provisioning within the Tunnel" describes the process:https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-13.html#section-3.11.1First, section 3.11.1 states that authentication is needed before provisioning, but C.11. does not show any authentication. Should the diagram show phase 1 client certificate authentication or phase 2 tunnelled authentication? Are both valid types of authentication as required by section 3.1.1?
C.11 assumes bi-directional certificate exchange OR POK. Perhaps that should be stated.
Second, C.11. shows that provisioning ends with Crypto-Binding TLV exchange. What is the EMSK and/or MSK used to calculate the TLVs? Is this a case where IMSK is an all-zeroes MSK? Should Section 3.11.1 define these?
Yes and yes.
Third, the draft does not say that PKCS exchange is an inner method. It's not an inner authentication method, but according to example C.11. the exchange ends with Crypto-Binding and Intermediate-Result TLV exchange similarly to inner authentication methods. Would it be possible to clarify the type of PKCS exchange (inner method, something else). Because it appears to be an inner method, also add text to section 3.11. where the use of the two TLV types is required.
Agree. It's an inner method, as indicated in Section 4.3.2. Eliot
-- Heikki Vatiainen h...@radiatorsoftware.com _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
