Hi Michael, I've got a question regarding the MASA voucher signing or better the certificate chain provisioning for the MASA certificate to the pledge.
RFC 8995 states in section 91.1. (https://www.rfc-editor.org/rfc/rfc8995.html#section-9.1.1) "The online service MUST have access to a private key with which to sign voucher artifacts [RFC8366<https://www.rfc-editor.org/rfc/rfc8995.html#RFC8366>]. The public key, certificate, or certificate chain MUST be built into the device as part of the firmware." I had the assumption that the pledge only knows its IDevID and with that his own certificate, public/private key pair and the certificate chain from the issuing CA to the trust anchor. In operational environments the issuing CA for the IDevID may not be the same as the issuing CA for the MASA signing certificate. From the requirement above, it would mean to provide the MASA certificate chain also in the pledge firmware, if it is different than the IDevID issuing CA. As the voucher is a CMS container that allows to convey the certificate chain of the signer in the SignedData, I would have expected it is contained there. This would be similar to the voucher request, in which the registrar-voucher-request also contains the certificate chain according to section 5.5.2 (https://www.rfc-editor.org/rfc/rfc8995.html#section-5.5.2), which states: "A certificate chain is extracted from the registrar's signed CMS container. " I would propose to also allow the submission of the certificate chain of the MASA signing certificate in the SignedData part of the CMS container of the voucher. Any thoughts? Best regards Steffen -- Steffen Fries
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
