Re: [Anima] CRLs in iDevID manufacturer signing certs?

Eliot Lear wrote: > What is the thinking on including CRL pointer in the manufacturer > signing cert? This question came up in industry discussions. Kent Watsen wrote: > 802.1AR says that the IDevID secrets must be stored confidentially and

Re: [Anima] CRLs in iDevID manufacturer signing certs?

My view is that, if the IDevID has a CRL/OCSP URL listed, then the validator SHOULD do the checking. If the vendor didn't actually want revocation checking done, then the vendor should've excluded such information from their IDevID certs. FWIW, 802.1AR takes a much neutral stance in Section

Re: [Anima] CRLs in iDevID manufacturer signing certs?

Thanks, Kent. Then it seems to me that we have a MAY floating around for CRL checking on the part of the registrar for BRSKI. Right? Eliot On 3/9/17 7:25 PM, Kent Watsen wrote: > Hi Elliot, > > >> What is the thinking on including CRL pointer in the manufacturer >> signing cert? This

Re: [Anima] CRLs in iDevID manufacturer signing certs?

Hi Elliot, > What is the thinking on including CRL pointer in the manufacturer > signing cert? This question came up in industry discussions. 802.1AR says that the IDevID secrets must be stored confidentially and be not available outside the module. In practice, a crypto processor with

[Anima] CRLs in iDevID manufacturer signing certs?

Hi, What is the thinking on including CRL pointer in the manufacturer signing cert? This question came up in industry discussions. Eliot signature.asc Description: OpenPGP digital signature ___ Anima mailing list Anima@ietf.org