Thanks, Kent. Then it seems to me that we have a MAY floating around for CRL checking on the part of the registrar for BRSKI. Right?
Eliot On 3/9/17 7:25 PM, Kent Watsen wrote: > Hi Elliot, > > >> What is the thinking on including CRL pointer in the manufacturer >> signing cert? This question came up in industry discussions. > 802.1AR says that the IDevID secrets must be stored confidentially and be not > available outside the module. In practice, a crypto processor with > tamper-resistant NVRAM is used (e.g., TPM). As such, the likelihood of the > credentials being stolen/discovered are near zero, but it is not zero, as a > determined adversary with sufficient resources can still have their way with > it. Still, vendors will likely conclude that protecting against that level > of attack isn't necessary. That said, vendors face a more likely scenario, > of issues occurring by contract manufacturers, whether it be accidental or > intentional. And as unlikely this scenario may seem, things happen and the > vendor would be without recourse if unable to issue revocations. To this > extent, setting up the infrastructure to support revocations can be compared > to insurance - hopefully you never need it, but when you do, you're glad you > have it. > > Kent > > > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima