Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
>> The private keys from the Southbound interfaces SHOULD NOT be made
>> available on the Northbound interfaces.
> This new sentence reads slightly strangely, since private keys must
> never be available anywhere! Sow what exactly SHOULD NOT be available
> to the North?
Yes, I see that someone might think the southbound interface is going to
serve up the private keys, and I can rewrite that somehow. I'll go look at
TLS documents or something to understand how they express this better.
The private key must be available to do signatures for mechanisms running on
the system containing the southbound interface. It could be embedded in a
secure element, as long as it can satisfy the needs of the southbound AKE
(whether that's (D)TLS or EDHOC).
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
