Re: [Anima] parameters to change pledge certificate

Sat, 24 Jul 2021 11:57:16 -0700 

{reposted with permission}

Can I repost this to the list?  My reply is public if you want forward or reply.

Esko Dijk <esko.d...@iotconsultancy.nl> wrote:
    > I use another Pledge for the Nordic NRF embedded platform, that one
    > only stores the MASA_SRV_CRT but not CA_MASA_CRT.

BTW: if would be great if you are willing to write into the hackathon
     document what platforms you have code for, and if useful, whether they
     are are FreeRTOS, Zephyr, Contiki{,NG}, RIOT-OS, other...

    > This Pledge actually *omits* the MASA CA certificate during the DTLS
    > handshake, under the assumption that the Registrar will already store
    > this certificate (out-of-band / manually added) or has a way to obtain
    > it e.g. through a sales integration process.

When you say MASA CA, do you mean the entity that signed the pledge's IDevID?
The CA_MASA_CRT below?

I agree that it can be omitted.  Either the Registrar has it, or the
Registrar is willing to operate in a promicuous mode, so sending it makes no
sense.

Technically, it's not the MASA CA, it's the Manufacturer CA, btw.

    > I remember you said yesterday the Registrar also needs to be updated to
    > trust a new MASA; and that is true in this case if the Registrar is
    > really verifying the Pledge like it should. In my Registrar this
    > verification is probably not done yet :)

The Siemens-BT Registrar needs to have the Manufacturer CAs loaded into it's
keystore, and the server restarted.  Maybe they changed that.

    > Just to see if we agree.
    > When going from one pledge to another I need to change 5 parameters

    > PLEDGE_CRT       the certificate of the pledge
    > PLEDGE_KEY       the key that is need for signing request voucher by 
pledge
    > PLEDGE_COMB    combining PLEDGE_CRT and PLEDGE_KEY

Is this a p12 or another format?

    > MASA_SRV_CRT   the masa certificate to verify masa voucher
    > CA_MASA_CRT     the masa self-signed certificate that signs MASA_SRV_CRT 
and PLEDGE_CRT

My mapping of term is:

PLEDGE_CRT       -> device.crt
PLEDGE_KEY       -> key.pem

MASA_SRV_CRT     -> masa.crt
CA_MASA_CRT      -> vendor.crt

    > Any superfluous ones ?

Should this terms go into my masa-considerations document?

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Reply via email to