Russ Housley <hous...@vigilsec.com> wrote:
>>> Is that identity now an LDevID (even though it has a completely
>>> different shape than the IDevID), or is a certificate based LDevID
>>> still created as part of the process, or can the device happily
>>> complete the ANIMA processes without an LDevID?
>>
>> I wouldn't call it an LDevID.
>> You don't need to do EST and ask for an LDevID.
> I do not see this being prohibited. It would require:
> - CA recognizes the trust anchor associated with the IDevID,
> - CA can issue the LDevID,
> - Client can authenticate the EST server based on something configured at
the factory.
I think you are speaking at cross-purposes.
Christian wants to know if ANIMA/BRSKI can "complete" without asking for an
LDevID. (yes)
Alternatively, if some OSCORE context with a symmetric key can count.
You have latched onto getting an LDevID without using EST.
Agreed: you don't need EST, you can use any other enrollment protocol you
want, and the BRSKI-AE document is about using CMP, for instance.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
