Hi Esko,
many thanks,
This week I will react. Many of the recommendations look quite viable.
Peter
Esko Dijk schreef op 2020-11-17 11:12:
Hello Peter,
I did my review of the new example certificates in Github. Below my feedback. Because examples are used in the constrained-voucher draft Appendix C, I include all authors in this email.
pledge-cert.txt / pledge-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/pledge-cert.txt) :
* The X509v3 extension 'subjectKeyIdentifier' should not be included according
to the 802.1AR-2009 spec section 7.2.6 (for IDevID/LDevID). Reason is that
this value in an EE certificate is never used for chain building; it's
unnecessary bytes effectively. Only CA certs do need this extension.
* The X509v3 extension 'keyUsage' is present, and is allowed per the
802.1AR-2009 spec section 7.2.13 , however looking at the 802.1AR text there it
basically says restrictions of key usage shouldn't be necessary for an IDevID -
it can be used for any purpose whether defined today or in the future. (Up to
the year 9999 at least :-) )
BRSKI-45 also writes "therefore RECOMMENDS that no key usage restrictions be included" for IDevID.
masa-cert.txt / masa-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/masa-cert.txt) :
* the validity (1 year) seems a little short for a manufacturing root CA. 3,
5, 7, or 10 years I would expect to be more usual for such a CA.
* Of course a Pledge stores this root CA cert in its trust store for the entire
device lifetime, and will keep using it during this lifetime. Even if that root
CA cert expired and the Pledge has a realtime clock so it *could* verify expiry
in principle. But it will not do that, because the cert is hardcoded in its
trust store. So I'm not sure if the validity of it has any impact in practice;
it seems not.
* Side note 1: the MASA will need to sign Vouchers with this root CA identity ,
for many years to come, and in the meantime the root CA cert may expire and
MASA may be given a renewed root CA cert that uses the same public/private
keypair. The latter - using same keypair - ensures that 'older' Pledges can
still recognize the signer and so accept these newer Vouchers. So the MASA's
root CA cert validity period will impact how often the cert needs to be renewed
- all the time using the same pub/private keypair - and that seems to be all.
* Side note 2: one can also have a MASA signing the Vouchers using an expired
root CA cert/identity. The Registrar and the Pledges won't mind.
* Side note 3: another easy way out of this is to give the MASA root CA
certificate also a very long / infinite lifetime just like the IDevID.
registrar-cert.txt / registrar-cert.hex (https://github.com/anima-wg/constrained-voucher/blob/master/examples/registrar-cert.txt)
* (Looks ok)
pledge-to-regis.txt (https://github.com/anima-wg/constrained-voucher/blob/master/examples/pledge-to-regis.txt)
* Looks like this should be a .hex file! Not .txt.
* (May consider a filename like 'pledge-to-regis.cbor.hex' to indicate it is
hex-format CBOR binary)
* Similar comment for the other 'x-to-y' .txt files.
* I will review the contents of these files later on!
Best regards
Esko
IoTconsultancy.nl | Email/Teams: [email protected]
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
