Re: [Anima] [Anima-bootstrap] Voucher signing method

Max Pritikin (pritikin) wrote: > (libjwt) didn’t support it. After looking at the code more closely I’m > not sure a jwt abstraction layer is really even needed; JWS is pretty > simple to use directly. I’ve forked libjwt and will upload my diff to > github

Re: [Anima] [Anima-bootstrap] Voucher signing method

> You can see this by exploding the output from openssl dgst via asn1parse: > pritikin@ubuntu:~/tmp/jwt$ openssl asn1parse -in signature.sign -inform DER > 0:d=0 hl=2 l= 69 cons: SEQUENCE > 2:d=1 hl=2 l= 32 prim: INTEGER >

Re: [Anima] [Anima-bootstrap] Voucher signing method

Kent, > On Apr 20, 2017, at 6:55 PM, Max Pritikin (pritikin) > wrote: > >> >> On Apr 20, 2017, at 6:51 PM, Kent Watsen wrote: >> >> >> Hi Max, >> >> I'd like to reproduce your experiment, but I can't find a library >> that supports the 'x5c'

Re: [Anima] [Anima-bootstrap] Voucher signing method

> I think Peter’s point is that moving to JWT for the voucher signature > but depending on PKCS#7 in the /cacerts exchange results in client’s > being required to handle both formats. This is one of my issues, when thinking about the NETCONF zerotouch bootstrapping draft, as all the other

Re: [Anima] [Anima-bootstrap] Voucher signing method

About a), I don't think putting all the CA certs in the voucher is a good idea. EST should be used instead. I don’t think it is right for someone to expect the voucher to distribute its roots of trust. What if a CA cert gets revoked of expires? EST has the transitional certs that allow for root