[Anima] RFC 8995, Voucher Signing, MASA Certificate Chain provisioning

2024-03-06 Thread Fries, Steffen 
Hi Michael,

I've got a question regarding the MASA voucher signing or better the 
certificate chain provisioning for the MASA certificate to the pledge.

RFC 8995 states in section 91.1. 
(https://www.rfc-editor.org/rfc/rfc8995.html#section-9.1.1)
"The online service MUST have access to a private key with which to sign 
voucher artifacts 
[RFC8366]. The public key, 
certificate, or certificate chain MUST be built into the device as part of the 
firmware."

I had the assumption that the pledge only knows its IDevID and with that his 
own certificate, public/private key pair and the certificate chain from the 
issuing CA to the trust anchor.
In operational environments the issuing CA for the IDevID may not be the same 
as the issuing CA for the MASA signing certificate. From the requirement above, 
it would mean to provide the MASA certificate chain also in the pledge 
firmware, if it is different than the IDevID issuing CA. As the voucher is a 
CMS container that allows to convey the certificate chain of the signer in the 
SignedData, I would have expected it is contained there. This would be similar 
to the voucher request, in which the registrar-voucher-request also contains 
the certificate chain according to section 5.5.2 
(https://www.rfc-editor.org/rfc/rfc8995.html#section-5.5.2), which states:
"A certificate chain is extracted from the registrar's signed CMS container. "

I would propose to also allow the submission of the certificate chain of the 
MASA signing certificate in the SignedData part of the CMS container of the 
voucher.
Any thoughts?

Best regards
Steffen
--
Steffen Fries



___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

[Anima] Standards/specs using "YANG to CBOR" encoding

2024-03-06 Thread Esko Dijk 
Hi Toerless,

Yesterday in the design team call you asked if any specifications use the "YANG 
to CBOR" mapping (RFC 9254), apart from us (cBRSKI).
In the call we forgot to mention this user:  "CORECONF" 
(https://datatracker.ietf.org/doc/html/draft-ietf-core-comi-17) , a 
CoAP-with-CBOR version of NETCONF/RESTCONF.

Regards
Esko

IoTconsultancy.nl  |  Email/Teams: esko.d...@iotconsultancy.nl


___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima