Re: OpenWrt One / project update

Mon, 08 Apr 2024 05:38:18 -0700 

Bjørn Mork <bj...@mork.no> wrote:
    > Michael Richardson <m...@sandelman.ca> writes:

    >> I'd really like to find a way to work with your manufacturer to get an
    >> IDevID certificate into each unit as it is manufacturered.

    > For those of us who are not going to pay USD 100 for a document we
    > won't be able to comprehend anyway: Do you have a pointer to a "IDevID
    > howto for dummies"?

Hi.  The IEEE is rather daft, the 2018 version of 802.1AR is available free
of charge, but it does require hoops.  There isn't much content in it that
you can't find in RFC5280.

    > I assume the private key must be protected on the device. What are the
    > hardware requirements?

There are no hard and fast rules.  It certainly would be best if it's in some
enclave.   But, my take is that something is better than nothing

> What's the root of the IDevID, and why do I trust it?

It's a private PKI root that we'd have to establish.

> What's the lifetime of an IDevID certificate?  Unlimited?

The spec says: notAfter: 99991231

    > Are there any special constraints to consider when validating an IDevID
    > certificate?

They don't tend to contain fqdn SAN, so the rules of RFC6125 (now RFC9525) do
not tend to apply.

    > What's the typical usecase on a device like this?  Signing short lived
    > device generated TLS server certificates for e.g a local https server?
    > Signing client certificates for CPE management (tr-x69 etc)?

That's one.
Or establishing a mutual TLS connection to a CA (RFC7030 for instance) that
would then be able to provision a WebPKI anchored cert.

    > Do you ever use the IDevID certificate directly, or is it always just
    > an intermediate CA?

Depends upon the use case.
In the RFC8995 onboarding situation, it would be used directly during
bootstrap, but then probably replaced with an LDevID with a more accessible
private key.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     m...@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to