Michael Richardson <m...@sandelman.ca> writes: > Bjørn Mork <bj...@mork.no> wrote: > > > I assume the private key must be protected on the device. What are the > > hardware requirements? > > There are no hard and fast rules. It certainly would be best if it's in some > enclave. But, my take is that something is better than nothing
I agree that this sounds useful in any case. But a key which can actually certify that you're talking to that specific device is so much better. I believe it should be seriously considered if you're going to do this. Maintaining a PKI and adding more device specific data will have a cost. Doing it "properly" might not be significanty more expensive. At least not if you can use functionaliy already there in the SoC (or other chips). Of which I know absolutely nothing, except that todays SoCs come with more functional blocks than I can count on my fingers. > In the RFC8995 onboarding situation, it would be used directly during > bootstrap, but then probably replaced with an LDevID with a more accessible > private key. Thanks for the pointer. This section is pretty close to answering my "IDevID howto for dummies" request: https://datatracker.ietf.org/doc/html/rfc8995#name-initial-device-identifier (and a sidenote: I'm really impressed that you got the IETF to standardize "BRSKI", pronounced like "brewski", is a colloquial term for beer in Canada and parts of the Midwestern United States Great work! :-) Bjørn _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
