-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multipart for voucher response? #42
Comments
Panos K. <[email protected]> wrote:
This was first described by Michael in
https://bitbucket.org/6tisch/draft-richardson-6tisch-dtsecurity-secure-join/commits/a2c01d7800509418957f7ce05a298a753758146f
The draft says
```
The CMS structure SHOULD also contain all the certificates leading up to and
including the signer's trust anchor certificate known to the recipient.
```
There was a thread about this, which reached no conclusion. Maybe you could
include that in slides for IETF105 again?
I am using a multipart/mixed (in HTTPS) from MASA to Registrar, so that the
Registrar can receive the correct certificates in order to validate the
voucher.
The Pledge *ought* never need this, since it ought to have all the anchors,
except if pledge has only a multi-step certificate chain that it needs to
receive. That puts certain restrictions on the CA structure of the MASA.
When the voucher response include the rw public key or cert for the
recipient to verify. Does that need to be done with a multipart
response as we do with server side key generation in EST-coaps by
referencing
https://tools.ietf.org/html/draft-ietf-core-multipart-ct-03? Should
that be stated in the document?
If we intend to return the certificate chain to the pledge, then we ought to
do with in the unprotected bucket of the voucher.
…--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
|
Gotcha @mcr . Yes, HTTP mixed is what I meant. Agreed. I think it should be mentioned in the draft. About the pledge, gotcha. I think this should be spelled out a little better even your BRSKI or Voucher drafts, but that is not important right now. |
The above multipart discussion seems to be applicable only between Registrar and MASA, so it would fall outside the current scope of constrained-voucher! This seems more like an update to BRSKI - so we should move this issue to BRSKI-bis , in any case close it here. If I don't hear an objection I will close it in 2 weeks ;-) |
The reason it is withing constrained-voucher is because the issue arises when sending a constrained-voucher from MASA->Registrar. |
Ah ok, then it seems relevant indeed.
In case 1) I think we do not need multipart or I can't see a use for it since the preference is to include any additional information in the Voucher structure. |
This was first described by Michael in https://bitbucket.org/6tisch/draft-richardson-6tisch-dtsecurity-secure-join/commits/a2c01d7800509418957f7ce05a298a753758146f
The draft says
When the voucher response include the rw public key or cert for the recipient to verify. Does that need to be done with a multipart response as we do with server side key generation in EST-coaps by referencing https://tools.ietf.org/html/draft-ietf-core-multipart-ct-03? Should that be stated in the document?
The text was updated successfully, but these errors were encountered: