strar's credentials cannot be verified using the
pinned-domain-cert trust anchor from the voucher then the TLS
connection is immediately
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Benjamin Kaduk via Datatracker wrote:
> Unfortunately, it seems that the "pinned-domain-cert" in the issued
voucher
> is the registrar's cert, not the CA cert. (Given that the documented
> workflow is
That's entirely correct.
The thing in the voucher validates the TLS connection
ures from two runs were present, so the nonce did not match
between voucher-request+voucher and parboiled-voucher-request.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anim
ed from the CPE device if it is replaced.
More experience will be necessary in order to determine if this is a
workable solution.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
__
Benjamin Kaduk wrote:
> To confirm: I should not be waiting for any other reviews before I look at
> the -38? (What with it being outgoing-AD-season I can't promise an exact
> date, but can bump it up the list a bit.)
Correct.
___
Anima
infra-37=draft-ietf-anima-bootstrapping-keyinfra-38
the new examples:
https://www.ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-37=draft-ietf-anima-bootstrapping-keyinfra-38
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description:
> and this would result in a new IETF review.
I think you mean, IESG review.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
Brian E Carpenter wrote:
> On 11-Mar-20 01:20, Michael Richardson wrote:
>>
>> section 6.1.5 says:
>>
>> When BRSKI (see [I-D.ietf-anima-bootstrapping-keyinfra]) is used, the
>> IPv6 locator of the BRSKI registrar from the BRSKI TLS conne
in the two
weeks afterwards.
From the results, consider having two 1.5 slots, one slot optimized for each
group of time zones. Make sure that people enter If-Needbe if it won't be
during their "day".
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
since 2018 when Terry was
an AD!
I think that the WG participants need to actively engage the DISCUSSes and
the choices that the WG has made.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
igns. That could be called out in the introduction, but i think
> the IDevID section itself could better distinguish between the
> description/judgement that is independent of MASA and then the
> new MASA considerations. Maybe structure, put MASA text always at end of
ve
purchased seem to. The OEM has to configure/generate them. It is this
process that I care about, because the IDevID also needs to be built at that
point.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT
are
retrieved.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
Michael Richardson wrote:
> I looked at
> https://tools.ietf.org/html/draft-richardson-anima-masa-considerations-02
> and Laurence's tutorial slides. The IDevID aspects seem to be inline
> with my understanding. Laurence's slides don't go into much deta
these keys very
carefully.
There are some operational advantages to keeping the secret seeds around in
some form, as they same secret seed could be used for other things.
There are some significant downsides to keeping that secret seed around.
--
Michael Richardson , Sandelman Software Work
Michael Richardson wrote:
> Laurence's slides not yet posted to
https://siot-hackathon.github.io/agenda,
> but I hope they will be.
Laurence's slides are actually at:
https://siot-hackathon.github.io/slides/rats01.pdf
it's just that the ones I care about are way at t
Laurence's slides not yet posted to https://siot-hackathon.github.io/agenda,
but I hope they will be.
From: "Smith, Ned"
To: Michael Richardson
Subject: Re: IDevID and TPM devices
Michael,
I looked at
https://tools.ietf.org/html/draft-richardson-anima-masa-considerations-02 and
.
okay, I was worried it didn't work out. (Whew!!!)
What is it in the YANG that means the serialized JSON is
"ietf-voucher:voucher" rather than "ietf-voucher:voucher-artifact"?
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signatu
that it has to be a voucher-artifact, not a voucher,
and the examples in BRSKI are wrong?
(That's really annoying)
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailin
needed for ongoing
> prototyping/interop testing are done now, if not, i hope one of the
> co-authors will chime in and kick my WG chair behind. I did ask
> for one missing assignment we procrastinated on, that came through
> ca. 2 weeks ago.
Hi, yes, please renew the e
way we can change the YANG to match things correctly?
It seems that we might change:
// Top-level statement
rc:yang-data voucher-artifact {
uses voucher-artifact-grouping;
}
to:
rc:yang-data voucher {
===
Or, do you think that we should changing the BRSKI doc
is to pass that entire chain along to the Pledge in the BRSKI-EST
channel in the DTLS header, and have the pledge sign that entire object.
This wouldn't be very constrained, so I am not sure why one would do this
rather than using TLS in that case.
--
Michael Richardson , Sandelman Software Wo
o really "lifetime role assignments"
> (lifetime larger than cert lifetime..).
But, that's the only role we need.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network archi
; And of course, this goes beyond trust into performance vetting by
> others and so on.
At some level, if you are looking for resource X, and some node can provide
X, and it works and does what you need... then maybe it is reasonable to
trust it.
--
Michael Richardson , Sandelman Software Works
these unnamed PKIX experts would like to debate this with us openly, they
know where to find the WG.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
An
up the base64 dumps of the vouchers in lines.
6) I also went back to Alissa's non-YANG related comments to be sure that I
had already dealt with them, and I had.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
, please SHOUT LOUDLY to make sure I don't
> miss replies / updates.
Roman had a DISCUSS.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sande
ASA that would allow them to resell
the equipement. I've tried to engage with a company I know of that does this
to try to understand how things flow today.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
ly if one
likes.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
Yes. I mean to read some of the documentation for TPM chips.
I believe that they blow a fuse.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/
Toerless Eckert wrote:
> Your code point has been allocated, pls. update your draft accordingly.
> This mail has been copied into an issue on the drafts github.
Document updated and posted as -07.
___
Anima mailing list
Anima@ietf.org
internet-dra...@ietf.org wrote:
> Title : Constrained Voucher Artifacts for Bootstrapping
> Protocols Authors : Michael Richardson Peter van der Stok Panos
> Kampanakis Filename : draft-ietf-anima-constrained-voucher-06.txt Pages
> : 40 Date : 2020-01-14
he chairs heard, there was no objection in the
> room.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
ddress will be transformed to a complete IPv6 address. To achieve
> this, the gateway should will maintain a globally routeable prefix
^ double word, pick one :-)
I will happily point at this document, if you think it is going to go
somewhere.
--
internet-dra...@ietf.org wrote:
> A new version of I-D, draft-ietf-anima-bootstrapping-keyinfra-34.txt
> has been successfully submitted by Michael Richardson and posted to the
> IETF repository.
> Name: draft-ietf-anima-bootstrapping-keyinfra
&g
ps://www.ietf.org/rfcdiff?url2=draft-ietf-anima-bootstrapping-keyinfra-33
I hope that this is the last of the YANG fixes.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@s
I have pushed -33 with changes as below.
tom petch wrote:
> On 31/12/2019 22:01, Michael Richardson wrote:
>>
>> tom petch wrote:
>> > Security Considerations, the YANG Guidelines RFC says that you must
mention
>> > TLS, HTTPS, etc and
't implement BRSKI without reading
RFC8366.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
tablished secure connection can be used to deploy a locally issued
> certificate to the device as well.
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/
--
Michael Ric
his comment]
We did.
We worked hard to create the Rm attack situation, and had to assume some
other failures to even get to this discussion.
I think that this follows into the "if these ten unlikely things all occur,
then you should consider if you are living in si
On 2019-12-29 11:53 a.m., RFC Errata System wrote:
The following errata report has been submitted for RFC8366,
"A Voucher Artifact for Bootstrapping Protocols".
--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5949
On 2019-12-25 10:43 p.m., Sheng Jiang wrote:
Hi, all,
The minutes for the ANIMA sessions at IETF106 in Singapore be found at:
https://datatracker.ietf.org/doc/minutes-106-anima/
I read the minutes, and I concur with them.
___
Anima mailing list
4ba202a98e4e
> Appendix A still has a typo
secification -> specification. plege->Pledge.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca h
onomic-control-plane
provides for that, but I didn't remember that last spring when I wrote the
document.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca
On 2019-06-17 11:55 a.m., Michael Richardson wrote:
I have posted the draft
https://datatracker.ietf.org/doc/draft-richardson-lamps-rfc7030est-clarify/
this morning. It attempts to address the errata posted by Sean Turner in
2017 on RFC7030. Specifically the use of Content-Type-Encoding
ent stream.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
signature.asc
Description: PGP signat
ood of a MUD URL
being the only extension that can be afforded an IDevID is significantly less
likely.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.
architectures. I suspect that there are some other variations
that I have neglected or just not considered.
internet-dra...@ietf.org wrote:
> A new version of I-D, draft-richardson-anima-masa-considerations-01.txt
> has been successfully submitted by Michael Richardson and
t;> are just recommendations.
> Did you mean to write "while *not* a BCP"? In any case you've
> tagged the draft for the standards track, which seems wrong.
I meant to mark it as BCP (fixing), or perhaps it would informational.
I'm not really sure if makes sense to pub
literally connecting desktops via ACP Connect.
Another way will involve putting bastion hosts (ssh-jump-hosts) into the NOC,
as well as hosting virtual desktops on hypervisors connected via ACP Connect.
--
] Never tell me the odds!
Owen Friel (ofriel) wrote:
>> > It is vendor specific, and it's baked in.
>>
>> Thanks. That was my working assumption, but I suggest stating it up
front in
>> draft-friel-anima-brski-cloud.
> [ofriel]
Just a reminder that the -30 draft posted last week resolves, I think, all of
your COMMENTS and DISCUSS points.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima
Hi Alissa, just a reminder that the -30 draft posted during IETF week
resolves the Yang Doctor issue that you had raised.
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
dor specific, and it's baked in.
The idea is that we can transform the well-known, but very much proprietary
"call-home" process that many devices use today into something that enables a
transfer of ownership mechanism.
--
] Never tell me the odds! | ipv6 mesh n
ure, Amazon,
etc.) do today for onboarding, in that the customer is never actually
represented.
The certificate might be ACME.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_
|
| | |
| 7. etc. | |
|->| |
In both cases, the voucher response provides a pinn of the Local Registrar.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
r and process
proceeds as normal. Note that the registrar still has to be proven
by voucher. There could be attacks on the pledge via DNS.
This flow does not work at all for devices/manufacturers with poor supply
integration, as the Cloud RA would have no idea where to redirect the device.
--
ngs fit together and created no new requirements, bits-on-a-wire, or
protocols.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/|
Toerless, I am preparing a document on Operational Considerations for
Registrars: "Operational Considerations for BRSKI Registrar"
I was reviewing section 8.1, on ACP connect.
To allow for auto-configuration of NMS hosts, the ACP edge device and
NMS hosts using ACP connect SHOULD support
d-sale problem.
So I could do three slides on possible ways to solve this problem, posting a
document on Monday.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
A
the
> pledge is mandated to generate a strong random or pseudo-random number
> nonce." So to also say "the nonce [...] does not require a strong
> cryptographic randomness" seems to be in conflict with the former
> statement.
> Are you saying that "
graphs to clarify things, but
maybe we failed.
> s/described Appendix B/described in Appendix B/ (sorry, section number
> not visible from diff; maybe 40% through the diff)
fixed.
> Section 5.4 is missing an "for" in "SHOULD be used for authentication of
> the MASA".
fixed.
> s/accesptable/acceptable/
fixed.
> Figure 17 is introduced as an "abstract example", though it seems more
> of a concrete one after this diff.
fixed.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
ly implemented, the request method is not allowed to be changed
when reissuing the original request. For example, a POST request should be
repeated using another POST request.[29]
It seems that we should probably be answering the voucher-request POST with
uld just drop the statement. The whole point of the nonce is to
> prevent replay attacks, so why would we want to weaken that?
I don't want someone to think that they need to include an additional
source of hardware entropy just for the nonce. They already need a well
seeded PRNG (RFC
different things, or am I misreading the document in some other way?
A Cryptographically Strong Sequence is more than enough. (section 6.2 of
RFC4086).
We don't need a "unguessable random number" (seed) section 5.
Maybe I'm splitting hairs here.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
-keyinfra-29
Htmlized:
https://datatracker.ietf.org/doc/html/draft-ietf-anima-bootstrapping-keyinfra
Diff:
https://www.ietf.org/rfcdiff?url2=draft-ietf-anima-bootstrapping-keyinfra-29
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
istinguished Encoding Rules (DER)", ITU-T Recommendation
X.690, ISO/IEC 8825-1, August 2015,
<https://www.itu.int/rec/T-REC-X.690/>.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software
kert I note that the e-mail addresses for the YANG module
> are the same as those for the YANG module in RFC8366; I do not know
> which are correct.
People moved to different companies since publication :-)
> contact "WG Web: <http://tools.ietf.org/wg/anima/> s
P 1.1 persistent connections" vs. "HTTP
>> > persistent connections", though?
>>
>> I am using the latter now.
> Please double-check; I think I saw one in the -28 (but didn't make a
> note of where).
I found a second insta
used as the domainID. If not, the SPKI Fingerprint as described in
[RFC7469] section 2.4 is to be used. This value needs to be
calculated by both MASA (to populate the audit-log), and by the
Registrar (to recognize itself).
We tried hard and found a way not to say SHA-1 directly, allowing SHA25
have preferred that RFC7951 had maybe said that it shall be
base64URL, but that base64 shall be tolerated.
It's irksome because JWS specifies base64URL, and the JSON spec is silent.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
FC8366?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT
lNumber MUST be there. If
that is
alvaro> what you meant from the start, then I’m ok with it. :-)
So you prefer the reworded text, and I will use that in -29.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_
https://tinyurl.com/y5l4xz3z
YANG doctor comments to come for -29, sometime after the RIPE IOT session
tomorrow.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca
dly be
surprised if additional purchases switching/routing products are
purchased. Deviations from a historical trend or an establish
baseline would, however, be notable.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardso
ed to be specified:
> a) which of CN-ID/DNS-ID/URI-ID/SRV-ID are allowed
> b) are wildcards allowed in any of these?
I've added text:n
The use of a DNS-ID for validation is
appropriate, and it may include wildcard compnents on the
left-mode side.
{i.e. what browser
On 2019-10-13 4:39 a.m., Dan Romascanu via Datatracker wrote:
Reviewer: Dan Romascanu
Review result: Ready with Issues
I am the assigned Gen-ART reviewer for this draft. The General Area
Thank you for this.
I will the majority of your issues with a -29 that I'll post this week.
Given that
> YANG issues raised by Tom Petch need fixing. Is there a plan to get
either of
> those done?
I'm working on those fixes today.
Also at RIPE79, and have two more conference calls, so I don't think I'll get
it done before your call tomorrow, but it could happen :-)
--
Mic
Thank you Tom, I'll try to fix the issues you found this week.
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
Esko Dijk wrote:
> Besides the minor issues mentioned in the Gen-ART review, there also
> still a couple of open issues in the tracker
> https://github.com/anima-wg/anima-bootstrap/issues Shouldn't these be
> resolved also? Or is it already planned to do that later? Rejection of
in this area.
+1
I think that we need to spend some high-level time discussing what happens
next, now that we have completed the ACP work (ACP, BRSKI, architecture)
{Our AD tells me that BRSKI will return to the IESG at a call very soon}
--
Michael Richardson , Sandelman Software Works
Brian E Carpenter wrote:
> We recently posted draft-carpenter-anima-l2acp-scenarios-01 following
> the discussion at IETF 105.
> We'd like to briefly present the updates and get WG opinions whether
> this work should be adopted.
Can we find some MACsec expertise?
Adam, Alexey,
version -28 of the document contains a CDDL definiton for the audit-log
response.
https://www.ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-27=draft-ietf-anima-bootstrapping-keyinfra-28
I hope that I'm done now!
--
Michael Richardson , Sandelman Software Works
CUSS
I have included the following text in the two places we specify TLS:
Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is
REQUIRED.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: P
e registrar performs log verifications in addition to local
>> > authorization checks before accepting optional pledge device
>> > enrollment requests.
>>
>> > Maybe give us a section reference to what the "log validations" are?
>>
&
sionally, or via the /cacerts
EST method.
The pledge would contain the logic to connect, and would know what name to
use, and would know how to validate it.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
serial
console.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[
--
Michael Richardson
ofile of CMP, maybe
that would suit you better for these disconnected uses rather than fullcmc.
Regardless, how would one discover and signal the use of fullcmc or CMP?
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
registrar (equivalent to EST server) are:
o Client authentication is automated using Initial Device Identity
(IDevID) as per the EST certificate based client authentication.
The subject field's DN encoding MUST include the "serialNumber"
| attribute with the device's
e addition to the ACP applicability stating the above be
>> useful?
> Oh sure, the link-local IPv6 of the proto-ACP would be a great way to
> show locality. Please do add some text regarding the ACP
> applicability.
Added after -26.
--
] Never tell me th
ust-anchor
(the manufacturer's CA), then a compromise of the
manufacturer's CA would compromise both keys. Such a
compromise of the manufacturer's CA likely compromises
all keys outlined in this section.
--
Michae
a fair concern, but in and of itself is not an excuse to skip
> reasoning through the risks of the parallel workflow. How much effort
> has already been spent doing that reasoning through? For example, one
> might want to require that the pledge track which nonce belongs to the
>
an LDevID certificate) from
having vouchers issued against them.
Other cases of inappropriate voucher issuance are detected
by examination of the audit log.
--
] Never tell me the odds! | ipv6
his model supports the <4h
SLA on service repair that most vendors have, and which they support by
stocking spares in the local city, but not for a specific customer.
I see that I've answered the rest already.
The perils of all these CCs.
--
] Never tell me the odds!
plicability stating the above
be useful?
>> But, that's why we have SHOULD, and the SHOULD (vs MUST) part was really
to
>> allow for some fancy HTTP/3 we know nothing about :-)
> :)
> Do we still want to say "HTTP 1.1 persistent connections" vs. "
te
>> the EST TLS session using the newly obtained credentials. This
>> - occurs by the client initiating a new TLS ClientHello message
on the
>> - existing TLS connection. The client MAY simply close the old
TLS
>> - session and s
https://tinyurl.com/y2skc9xz
Michael Richardson wrote:
>> o The subject-alt field's encoding MAY include a non-critical
>> version of the RFC4108 defined HardwareModuleName. (from [IDevID]
>> section 7.2.9) If the IDevID is stored in a Trusted Platform
s the
Registrar End-Entity Certificate, when in fact it is the Registrar's
CA certificate. As a CA certificate, it SHOULD always have the
SubjectKeyIdentifier.
We are presenting discussing whether the EE Registrar cert should get
audited.
--
Michael Richardson , Sandelman Software Works
-= I
tion such that it uses the
>> SubjectKeyIdentifier, if present. That can be any algorithm that the CA
>> wants to use to identify the Entity certificate. We need to have a
>> consistently calculated value if it's not present, and RFC5280 says
SHA-1.
>>
+ the URL to the prepared (and idempotent, therefore cachable) audit
+ response in the Location: header.
Does this fix things for you?
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
601 - 700 of 1077 matches
Mail list logo