Michael Richardson <[email protected]> wrote: > Note: We have three anchors that we might like to deploy.
> 1) the key that signs the RFC8366/constrained-voucher objects. Could
> be a RPK.
> 2) the key that signs the IDevID certificates in the devices. Most
> likely a RFC5280 self-signed certificate, but of course, it's a trust
> anchor, so likely only the public key matters.
> 3) the manufacturer could have a CA trust anchor, and #1 and #2 might
> be provided via subordinate CAs, and only #3 needs to be transfered.
> (#1 is an EE certificate)
Is there some interest in automating such things?
I think it would be a pretty simple document, with most of the discussion
probably being whether we should allow the user to type in "example.com",
and have it turn that into "https://masa.example.com/.well-known/brski/...";
fetches. That UI would likely then present a fingerprint to be confirmed.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
