Michael, Magnus,
I want to reinforce a point I made in that previous discussion about pledges
using BRSKI with H2 (and by extension QUIC). In this limited case, both
present needless overhead both in terms of dev costs and COGS. H2 in
particular, and in this particular case, introduces new
Eliot> I think the simplest way to address the bulk of both Adam’s and
Eliot> Warren’s concern is to require the device to emit via whatever
Eliot> management interface exists, upon request, a voucher that it has
Eliot> signed with its own iDevID. It would have to be nonceless with
Eliot>
Eliot Lear wrote:
> Whether such a voucher would be pinned is something we do not have to
> specify, with the risks of it not being pinned being born by the owner.
I beg to differ!
I think that the security properties are vastly different.
It's why we decided when creating RFC8366 not
I presume I am missing something basic.
I have tried to follow this discussion, as it seems to be about a
critical aspect of whether the BRSKI work is acceptable.
I have assumed that what we needed is the ability for a buyer, who has
physical possession of the device, and possibly some simple
Eliot Lear wrote:
> I think the simplest way to address the bulk of both Adam’s and
> Warren’s concern is to require the device to emit via whatever
> management interface exists, upon request, a voucher that it has signed
> with its own iDevID. It would have to be nonceless