Hi Henk, Frank, Michael, Bob, thanks for this document.
I have a question regarding the IEEE 802.1AR-based of the description. Here is what I understand for use of certificates from 802.1AR (with my wording because RFC 2119 language is often missing in the 1AR spec): * The DevID certificate subject field is always present, but can be empty. An IDevID certificate subject field MUST be non-null and SHOULD include a unique device serial number encoded as the serialNumber attribute. The subject field can contain information identifying the supplier or manufacturer of the device. * IDevIDs SHOULD use the GeneralizedTime value 99991231235959Z in the notAfter field. * The subjectAltName extension MAY be present in both DevID certificates and DevID intermediate certificates. If a DevID certificate includes a subjectAltName, that field should include a HardwareModuleName. When a TPM is used to provide DevID module functionality the IDevID certificate contains a subjectAltName that uses a HardwareModuleName to identify the TPM, the hwType identifying the TPM Version and the hwSerialNum containing the TPM Serial Number. * All certificates contain the authorityKeyIdentifier (as a non-critical extension). * Intermediate certificates contain the subjectKeyIdentifier, as a non-critical extension. The subjectKeyIdentifier extension SHOULD NOT be included in DevID certificates. * If a critical keyUsage extension is included in the IDevID, it MUST include digitalSignature. The keyUsage extension MAY include keyEncipherment. Is my reading of IEEE 802.1AR correct? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
