Michael Richardson wrote:
> Note: We have three anchors that we might like to deploy.
> 1) the key that signs the RFC8366/constrained-voucher objects. Could
> be a RPK.
> 2) the key that signs the IDevID certificates in the devices. Most
> likely a RFC5280 self-signed cert
So since you haven't got a keycode... what would you do?
Like an ATM skimmer attack - collect keycodes that people key in?
Anyway, all I was really suggesting is that the Security
Considerations need to explain why there is no vulnerability
due to obtaining the list of pledges via mDNS.
Regar
Thank you for the replies.
(Omitting unicast CCs by request)
It seems that
1) /.well-known/jwks.json might not be in as common use as I thought, but
maybe OAUTH types might want to register it so as to reduce surprise in
the future.
2) We, ANIMA, should probably have two or three RFC7517
Brian E Carpenter wrote:
>> > In any case, isn't the list of pledges itself a point of attack for
>> > someone attempting to install a rogue device? So the security of the
>> > list of pledges should perhaps be discussed in the Security >
>> Considerations, even though it's outsid
