RFC8366 specifies a idevid-issuer to identify the CA that issued the IDevID.
It says:
https://www.rfc-editor.org/rfc/rfc8366.html#section-5.3
leaf idevid-issuer {
type binary;
description
"The Authority Key Identifier OCTET STRING (as defined in
Section 4.2.1.1 of RFC 5280) from the pledge's IDevID
certificate. Optional since some serial-numbers are
already unique within the scope of a MASA.
Inclusion of the statistically unique key identifier
ensures statistically unique identification of the hardware.
When processing a voucher, a pledge MUST ensure that its
IDevID Authority Key Identifier matches this value. If no
match occurs, then the pledge MUST NOT process this voucher.
When issuing a voucher, the MASA MUST ensure that this field
is populated for serial-numbers that are not otherwise unique
within the scope of the MASA.";
}
We have some discussion about what exactly this means.
https://github.com/anima-wg/constrained-voucher/issues/161 captures this as
three possibilities:
1) only the KeyIdentifier OCTET STRING
2) the complete AuthorityKeyIdentifier ASN.1 SEQUENCE structure
3) the complete Authority Key Identifier extension OCTET STRING value
'extnValue' per Section 4.1 of RFC 5280
Esko suggests that (3) is the correct thing, detailed as:
OCTET STRING (26 byte) 30168014D5039FC78A4DC0468760191FD71B1534C2D88428
SEQUENCE (1 elem)
[0] (20 byte) D5039FC78A4DC0468760191FD71B1534C2D88428
> I meant here 26 bytes, sorry!
> So 2 bytes 04 18 are used to encode ‘OCTET STRING’, 2 bytes 30 16 for
> ‘SEQUENCE’, 2 bytes 80 14 for the ‘[0]’ and the rest is the actual
> KeyIdentifier (20 bytes).
We think this consistent with other users of Authority Key Identifier.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
