[future threads about SZTP should CC NETCONF, the WG that published/maintains SZTP]
Hi Steffen, > Hi Kent, > > There is a further YANG related question in the context of BRSKI-AE. > > In one use case, the pledge has no direct connection to the registrar and a > registrar-agent communicates with the pledge. In that specific case we do not > have a TLS connection between the pledge and the registrar-agent and protect > the exchanged objects by an additional signature. This is done by embedding > the necessary information into a JOSE object. > For the enrollment Michael was pointing to the YANG module in > https://datatracker.ietf.org/doc/html/draft-ietf-netconf-sztp-csr to avoid a > double definition to transport a certification request. In BRSKI-AE we > currently use a PKCS#10 request, but using the defined ietf-sztp-csr would > also allow to use other formats. > > For the enrollment request created by the pledge we have defined the > following JOSE object: > { > "alg": "ES256", > "x5c": ["MIIB2jCC...dA=="] > } > { > "ietf-sztp-csr:csr": { > "p10": "base64encodedvalue==" > } > } > { > SIGNATURE > } > > The question (https://github.com/anima-wg/anima-brski-async-enroll/issues/10) > now is, if this construct is possible, as we are just using a subset > (sztp-csr:csr) of the YANG module " ietf-sztp-bootstrap-server" from > draft-ietf-netconf-sztp-csr? This is not possible. > The alternative would be to define an own module modeled in a similar. You can do this. > Best regards > Steffen K. _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
