Hi all, Based on earlier discussions in the design team meeting, I'm proposing an improvement / fix for cBRSKI that includes 2 main things:
1. New (simple) format for the EST-coaps "CA certificates" response: existing spec requires PKCS#7 container to distribute multiple CA certs. New proposal is CBOR-only; using the application/multipart-core format. 2. Updates to all procedures to enable a Pledge/IoT-device to enroll in a domain with 2 or 3 tiers of CAs, and be managed in such a domain - including EST re-enrollment, change of root-CA/sub-CA/owner, etc. There was a trade-off here between keeping the Pledge lightweight and enabling full participation in a 2-tier/3-tier CAs domain. With an eye on the future, the proposal is to go for the full participation, expecting this will become common for IoT devices. See https://github.com/anima-wg/constrained-voucher/pull/291/files for the new text proposal. Any comments are welcome. Regards Esko IoTconsultancy.nl | Email/Teams: esko.d...@iotconsultancy.nl
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima