Esko Dijk <[email protected]> wrote: > For cBRSKI I've created a new PR: > https://github.com/anima-wg/constrained-voucher/pull/325
I reviewed.
> 1. We want the equivalent of certificate chains as carried in CMS
> signing envelope on the unconstrained network path 2. We don't want
> these lengthy certificate chains carried on the constrained network
> path (by default), to save bytes/time. 3. We'd like MASA to be able
> to sign a voucher with an arbitrary certificate chain, or self-signed
> CA, or a raw public/private keypair. 4. Registrar should be able to
> easily retrieve MASA's signing method/chain, whatever it was.
Right, and remove the extra stuff, and you've done a good job there.
> As a solution the "x5chain" attribute from RFC 9360 is now used to
> carry a certificate / chain that was used for signing. And a Registrar
Your PR goes from x5bag -> x5chain in many places, and I'm not sure I
understand why. A few places still say x5bag: I'm not sure which to pick.
Should all instances of x5bag go away?
I also wondered if there is any value in the self-signed RPK mechanism.
The Registrar can't really trust anything in the unprotected header, but I
guess if it hasn't got the RPK via some other way, then at minimum this lets
it verify the signature. The voucher arrived via HTTPS anyway.
So I do not object to including this instruction.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
