Max Pritikin (pritikin) wrote:
> (libjwt) didn’t support it. After looking at the code more closely I’m
> not sure a jwt abstraction layer is really even needed; JWS is pretty
> simple to use directly. I’ve forked libjwt and will upload my diff to
> github
> You can see this by exploding the output from openssl dgst via asn1parse:
> pritikin@ubuntu:~/tmp/jwt$ openssl asn1parse -in signature.sign -inform DER
> 0:d=0 hl=2 l= 69 cons: SEQUENCE
> 2:d=1 hl=2 l= 32 prim: INTEGER
>
Kent,
> On Apr 20, 2017, at 6:55 PM, Max Pritikin (pritikin)
> wrote:
>
>>
>> On Apr 20, 2017, at 6:51 PM, Kent Watsen wrote:
>>
>>
>> Hi Max,
>>
>> I'd like to reproduce your experiment, but I can't find a library
>> that supports the 'x5c'
> I think Peter’s point is that moving to JWT for the voucher signature
> but depending on PKCS#7 in the /cacerts exchange results in client’s
> being required to handle both formats.
This is one of my issues, when thinking about the NETCONF zerotouch
bootstrapping draft, as all the other
About a), I don't think putting all the CA certs in the voucher is a good idea.
EST should be used instead. I don’t think it is right for someone to expect the
voucher to distribute its roots of trust. What if a CA cert gets revoked of
expires? EST has the transitional certs that allow for root