Qin Wu <bill...@huawei.com> wrote:
    > Also I am wondering whether the voucher artifacts signed by
    > manufacture, needs to closely tie with MASA. Maybe this relation can be
    > decoupled as well.

The critical thing that RFC8366 worried about is a *manufacturer* that had
poor serial number control.  This could be caused by the manufacturer being
big and different parts of the organization not being aware of what other
parts were doing.  This also can occur due to merges and acquisitions.

None of this matters if the MASA are distinct, but clearly one of the savings
from the mergers would be that the MASA service would be centralized.

What we have figured out:

1) the pledge never needs to put idevid-issuer in.  It's certificate (and
   thus the issuer of said certificate) is in the DTLS Client certificate in
   protocol.  So the pledge never needs to know if an M&A has occured :-)

2) the Registrar needs to extract the serial-number and idevid-issue, and
   it SHOULD always include the idevid-issuer in the Registrar Voucher
   Request (RVR).  Since that part occurs on a non-constrained Internet, the
   extra 6 bytes of wrapper don't matter much, so just always include it.

3) the MASA knows if it must include idevid-issuer or not, and it should do
   an appropriate thing.

The remaining problem is just that we need to create voucher examples with
idevid-issue included, where the idevid-issuer is *wrong*, in order to test
pledge verification code.  But, that should be doable as unit tests.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

Reply via email to