Benjamin Kaduk <[email protected]> wrote: > Apparently I only have one comment buried inline. We must be making > progress :)
>> > The audit log is a defense against this in that it allows for
>> post-facto > discovery of misuse? Or is there some pre-issuance
>> authorization check > going on. > I think I may need some section
>> references to where the authorization > policy (options) are
>> documented; I've lost a bit of state on this one.
>>
>> That's right, the audit log provides discovery of mis-use. The check
>> belongs prior to issurance of an LDevID, and may be repeated regularly
>> afterwards.
>>
>> I think you are asking for a list of MASA authorization policy
>> options. We do not have such a menu of options, and I'm reluctant to
>> write them down normatively at this point, as I think that there are
>> combinations we do not yet understand.
>>
>> 5.5.3 points out that nonceless vouchers need more authorization.
>> Other parts of 5.5 provide other options. Please let me know if you
>> think this is insufficient for a Proposed Standard.
> I think I'd like to see a small addition after/near "[t]his
> verification is only a consistency check that the unauthenticated
> domain CA intended the voucher-request signer to be a registrar"
> (perhaps at the end of the paragraph?) noting something like "since the
> domain CA is unauthenticated to the MASA, depending on MASA policy,
> vouchers not authorized by the pledge owner may be issued; the MASA
> audit log can be used to detect such missisuance".
I've added:
<t>
Even when a domain CA is authenticated to the MASA, and there is
strong sales channel integration to understand who the legitimate
owner is, the above cmcRC check prevents arbitrary End-Entity
certificates (such as an LDevID certificate) from
having vouchers issued against them.
</t>
<t>
Other cases of inappropriate voucher issuance are detected
by examination of the audit log.
</t>
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
