RFC8995 (BRSKI) has a section 7.2: Pledge Security Reductions. One of which is:
4. A craft/serial console could include a command such as "est-
enroll [2001:db8:0:1]:443" that begins the EST process from the
point after the voucher is validated. This process SHOULD
include server certificate verification using an on-screen
fingerprint.
I am implementing this option in my pledge enrollment code.
This is primarily driven by lack of IDevIDs, particularly in virtual machine
test code. Automating some of this has a significant benefit, as I was just
rather puzzled by an error from IPsec: "issuer cacert not found"
Well... duh... I hadn't copied the cacert to the new machines.
The activity described in the above paragraph is mostly just RFC7030.
In my code base, I believe that I will include some HTTP Authentication with
a one-time-ish password generated by the registrar. ("one-time-ish", because
I think that I'll make it last for the entire day, rather than just once)
"Mostly" just RFC7030, because I think it should probably do the telemetry
returns.
Also I think that the "server certification verification" should be
understood to mean, validating the Registrar Domain (CA) certificate. Not
sure if that warrants an errata.
and the bikeshed question is: What would you call this process that involves
no vouchers?
p.s: I keep thinking about ways to get IDevID into brownfields and into VMs.
p.p.s: Come to the inaugural Device Identity Forum meeting, May 15.
https://www.sandelman.ca/deviceidentityforum
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
