Mike Ounsworth <[email protected]> wrote: > I am going to make a maybe bold statement here. I have seen Evidence -- > I've played with TPM attestation, I've seen PSA Tokens, I'm designing > the PKIX-Key-Attest format. But I have never seen an AR.
I have, but not in production yet.
Thomas gave me an example for this document, btw.
> I've never
> actually held one in my hand. I find these discussions about what
> features should and should not be supported for ARs to be rather too
> abstract.
I also very much agree. Much in AR4SI, etc. is too abstract for my taste.
> For example, would an AR satisfying the question "Prove that the
> device's secure boot chain is intact" be syntactically and semantically
I don't think that this is a statement I care about in the AR.
* I expect if the boot chain is not intact then then there will be no AR.
(if *secureboot* itself failed, then the RoT is probably not secure. That's
a
complete failure, and it's undetectable, btw)
> interoperable with one satisfying the question "Prove that the device
> is joined to the Corp Domain and that the currently logged-in user
> matches the CN in the cert request". Given that I have never actually
* "device is joined to the corp domain" <- I think that I would expect the
AR to just say, "corp-domain=corp.example". I don't know exactly what
Evidence
would be involved for the Verifier to support that, but I don't see a problem.
* "matches the CN in the cert request" is very specific, and I would not
expect this. I would expect "[email protected]" in the AR.
Not every CSR is even going to be about a client certificate.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
