Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
"Max Pritikin (pritikin)" <pritikin@cisco.com> Wed, 01 April 2020 16:35 UTC
Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 841603A12B6 for <anima@ietfa.amsl.com>; Wed, 1 Apr 2020 09:35:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WisfyXnp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=D+599A78
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3fQoJgNFSYs for <anima@ietfa.amsl.com>; Wed, 1 Apr 2020 09:35:13 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345243A12AB for <anima@ietf.org>; Wed, 1 Apr 2020 09:35:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14670; q=dns/txt; s=iport; t=1585758913; x=1586968513; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pZCKZ+x2p5JK5D3Lx9olerhk/0JA+DRtz95o0ZRAX4s=; b=WisfyXnp/1VNeaBYTS4PwOaO82dnC+6jWwfyiy6Bq6EhTwBtNteeiR/a OtDz5uqy75W96eG2kr99UGxUlXvi0XwaMeIVx90xx6/dapd1xhZqkCjK0 hdrG2v6miN1NklNS+bbokr+SIkOjX5LeQo38TdFZOqtmYnNAkAEZaTi6C 0=;
IronPort-PHdr: 9a23:oPK52BRubbcgGdxYHKRFd6pTHdpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESXBNfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOjQgHdhDV15j13q6KkNSXs35Yg6arw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CyAABTwoRe/4oNJK1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7gVQpJwVsWCAECyoKhBCDRQOKb4JfgQGXHIJSA1QKAQEBDAEBGAsKAgQBAYFQgnQCF4IhJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVwAQEBAQIBAQEQEREMAQEsBAcBBAcEAgEIEQQBAQECAh8HAgICJQsVCAgCBA4FIoMEAYJLAw4gAQ6jewKBOYhidYEygn8BAQWFIBiCDAMGgQ4qjDEaggCBEAEnIIIYNT6CZwEBgTwRFwEXD4JsMoIskQSGIpleCoI9jUSJXB2CTIgzjQeDbI0kmlyDNQIEAgQFAg4BAQWBaSKBWHAVGiEqAYJBPhIYDY4dOG8BAoJJhRSFQXSBKYtJAiYEA4EEAYEPAQE
X-IronPort-AV: E=Sophos;i="5.72,332,1580774400"; d="scan'208";a="465569413"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Apr 2020 16:35:12 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 031GZC9G015863 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 1 Apr 2020 16:35:12 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 1 Apr 2020 11:35:11 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 1 Apr 2020 12:35:10 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 1 Apr 2020 11:35:10 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AKll0gsDHwTQlssb/eBDDq1qz3eeDR2QusnlF8unHRsK2c2So6w2LbyPld+1CknXAwlz8XRzU68m9u4adpLz2KJ4IqO00oAl5Yuxn+FQWyvbUD+Mftd1AG+pZmPh/eGAL/yJ6CkyjkJE19XqVmur1Smlx3BzoJA/nzA0itWpaONGxYlbxBxE1D4raeUWwxbWD5j5gdCpAo/i62QRFV8reNGUmJ2/Q0N6zgvvCUBA0Q9qgF4OQJ6sMr/yCOOROlHlphTe/5GUrprNpBoUnh2E3e3biWLMzHIlfgUE898MwdghOIPyu90BJzb+pCjO6Znf7ExtY73huqJ1syxgN+Rv4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pZCKZ+x2p5JK5D3Lx9olerhk/0JA+DRtz95o0ZRAX4s=; b=cMtxdPQ5lAiz0McVvp0XpYZ/uqMJv4s1l2PF2G1Ri3VtaFyGqIA7/IoQqkBPYhh4FDLQT0x0F6TX8APJQhAnLBvQMPDIJMean0so1Y3o2Lnz8amL16oVif3o3DGdUkRZgZJ7/eVL1wqV7r281XYFBOaeLzspPhFydVOls9hg6Ndu2uMfcN+eMD6W/7OfrQ1/KQCiRYkK7X/a7CtozwPGymZZTB4wOwxfPQfd6zZ99ro+tJeaNz8RJK+isvdqaKEiVUSjU4fkXll2+lhzBTAcg4vQucrPP9iY+AgoZ/1m17derKVOWU+2hsr5CgxVQl2ghlUUxaMySVtINCw1PmiUPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pZCKZ+x2p5JK5D3Lx9olerhk/0JA+DRtz95o0ZRAX4s=; b=D+599A78/CS+24BAhpFXBfnEmr1KRLTTsQuNvw/SLUUbD2hfMNcchiO0yyuDtG8+VUiWiiKgHrNPFOpvnGHHi1JOS+Ys1qghVUSiQMp5NT+BjrJHTvhRP5VERtBH4yjUzh0a9uOJhmT4ADZz63W/grDjDA6FpYfLvonCKjltM+8=
Received: from CY4PR11MB0072.namprd11.prod.outlook.com (2603:10b6:910:76::27) by CY4PR11MB1701.namprd11.prod.outlook.com (2603:10b6:903:22::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.18; Wed, 1 Apr 2020 16:35:08 +0000
Received: from CY4PR11MB0072.namprd11.prod.outlook.com ([fe80::35e8:4592:6e4:222b]) by CY4PR11MB0072.namprd11.prod.outlook.com ([fe80::35e8:4592:6e4:222b%7]) with mapi id 15.20.2856.019; Wed, 1 Apr 2020 16:35:08 +0000
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Benjamin Kaduk <kaduk@mit.edu>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
Thread-Index: AQHWBu/a5NhgfjXbgUyLOPBtD7awiahh9VUAgADXdgCAAF8PAIAA0r0AgAB6iIA=
Date: Wed, 01 Apr 2020 16:35:08 +0000
Message-ID: <832A0B17-70F4-43DE-8CC0-F81DFA7DC874@cisco.com>
References: <158561301296.11367.9776561744635554098@ietfa.amsl.com> <4603.1585620652@localhost> <20200331150202.GH50174@kduck.mit.edu> <600.1585687336@localhost> <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <AM5P190MB02751866462AE590EAD2EB14FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.60.0.2.5)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pritikin@cisco.com;
x-originating-ip: [72.163.2.251]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d9ff85c2-e864-4732-bab8-08d7d65aa454
x-ms-traffictypediagnostic: CY4PR11MB1701:
x-microsoft-antispam-prvs: <CY4PR11MB1701CF8076BBB9D2A5820B78DAC90@CY4PR11MB1701.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03607C04F0
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB0072.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(366004)(376002)(136003)(91956017)(316002)(8676002)(186003)(81166006)(76116006)(81156014)(8936002)(4326008)(6916009)(86362001)(2616005)(6512007)(26005)(66446008)(64756008)(66556008)(66476007)(66946007)(6486002)(71200400001)(33656002)(5660300002)(478600001)(2906002)(53546011)(36756003)(6506007)(966005)(54906003); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0TsgVVIhPndc70XGDxp/eqx7+Wc1r6/TUnAAMVA2YJhwfkLaKND6S6GObqxamIvjQpvm4iqWk45aVteXpm6aIlH2sKWLiRasHaVIvjNFfbDGOkrVE0ggev+3CJyAxLYDIZODLvPo4mTy4VyExKeGci2Zf1nP7NgOnCmFeY8Mo09VId5UvbyfBZgvHbvB2UPh4MMNWjIvxA7D/iYWUjBPjNF66lOM59bLetK/7WaFge+wwVAEsqXJ2Vdue5p+hGPV0uWC1VHp6bo7pB4MdC5sCd5cXlSD4xMHEtvU63q8RgDSg+ct14fADhF14M5oHTuqluJWsg3r5Q8g6s5c+ciOTQfP0ln4JB40b1eSea084tCHogECmGaGXT8xjDdh48i9/zYzwtjiIJD80Fwem2qpTggQqvCMchAB1BZJ6hYZYQarGE2i9Ep0lsT0QqLoKURAI23ib6aWY9ztOQ/Qh1ptG9+qCskw80dBpfE/gmeQO1nZWL+0Sclu9jTH+Mh940fbcJRkiA+eAmODUHCh6ZO8Sg==
x-ms-exchange-antispam-messagedata: 1bG6ykFuLV+x2VeEimEmZW99LljSeKMafkR35/MIurPNOFNy+QlTSOaYpKW+CEK4aEcNQKFFLkHocm8shh8I22/S/+Q5iwBJH5kcQClIB4RdjHHOpm4XXEQJb+KEYgBkd3lqhJPwEl6o2eAhyHFuxA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2B1FA571DDA3494093098E09CCD0C410@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d9ff85c2-e864-4732-bab8-08d7d65aa454
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2020 16:35:08.7422 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KS74oYwq5HXbtqG7xxqFiqbDJr9UH4XR4eNaIIjxeX0RQAygyeeP/LoKqW6Tree67AWpUVcVbbX68YjmKRSVUQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1701
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LeJrHftz95AN6pVjxJZXuwatBbc>
Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 16:35:33 -0000
On the discussion of what the ‘pinned-domain-cert’ is please refer to the language of RFC8366:
leaf pinned-domain-cert {
type binary;
mandatory true;
description
"An X.509 v3 certificate structure, as specified by RFC 5280,
using Distinguished Encoding Rules (DER) encoding, as defined
in ITU-T X.690.
This certificate is used by a pledge to trust a Public Key
Infrastructure in order to verify a domain certificate
supplied to the pledge separately by the bootstrapping
protocol. The domain certificate MUST have this certificate
somewhere in its chain of certificates. This certificate
MAY be an end-entity certificate, including a self-signed
entity.";
Within that document we opted for this language as it supports a large set of use cases including offline voucher issuance etc. It supports pinning a specific end-entity and it supports pinning a CA. Each of these have operational benefits as discussed extensively throughout this working groups activities. The example voucher’s within draft-ietf-anima-bootstrapping-keyinfra-39 are consistent with this.
This discussion has raises a discontinuity though. The brski draft encourages, actually mandates, using the CA certificate. This is too likely too strong of a “be conservative in what you do” as it limits use of public CA infrastructures and it causes confusion in the intended pledge behavior of “be generous in what you accept”.
To resolve this the draft can be slightly less explicit in which certificate is sent from the registrar to be pinned. This is not as conservative as the current language but ensures all uses cases envisioned by the RFC8366 work is maintained. The following is a summary of changes intended but expect an actual diff real soon:
s 5.5. Registrar Requests Voucher from MASA
"The entire registrar certificate chain, up to and including the Domain CA, MUST be included in the CMS structure.”
This sentence will be softened to allow the registrar flexibility to choose how high up the chain to pin. This is ‘less conservative’ and admits the flexibility intended.
s 5.5.2 MASA pinning of registrar
"This CA certificate will be used to populate the "pinned-domain-cert" of the voucher being issued.”
This sentence to clarify that the highest cert in the chain submitted by the registrar is used rather than the explicit CA certificate. This is being more “generous in what you accept”.
s 5.6.2 Pledge authentication of provisional TLS connection
"The 'pinned-domain-cert' element of the voucher contains the domain CA's public key.”
This language aligned with the RFC8366 language to ensure we maintain the “generous in what you accept” behavior intended by RFC8366.
Michael is a rock star and is working on the actual text changes.
-max
> On Apr 1, 2020, at 3:16 AM, Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
>
> Michael, Could you clarify what you mean with "EE certificate" and "domain's EE certificate" ? Of which entity? And how can a domain have an end entity certificate - I expect this to always be a CA?
>
> I share Ben's view that the pinned-domain-cert is a CA certificate. If not the case, then the text needs to be updated in several places.
> Based on the discussion, trying to list some practical cases we can have of the pinned-domain-cert:
>
> 1. the Registrar's certificate, which is an RA type certificate at least. (It MAY be a CA certificate instead of RA, if the Registrar itself acts as CA non-delegated. )
> This is the most narrow pinned certificate that enables the Pledge to validate the Registrar it's talking to. If we allow RA certificate pinning then the BRSKI text needs to be updated!
> 2. the Domain CA certificate used by the EST server (=Registrar) to sign newly created certificates. (This MAY equal the Registrar's certificate, although it typically will not be.)
> This is a wider pinned certificate that enables the Pledge to validate the Registrar it's talking to, and also validate the Domain CA that will be used later on to issue operational certificate via EST.
> It is not necessarily a root CA certificate. This case is compatible with current BRSKI text.
> 3. a Domain CA cert of a domain larger than the above EST CA.
> It is not necessarily a root CA certificate. This case is compatible with current BRSKI text.
> 4. the root CA cert of the Domain.
> This case seems compatible with current BRSKI text, although the text suggest that typically the root CA is something with wider scope, beyond the pinned-domain-cert. (But not necessarily)
>
> Also there are use cases where full PKI is used, and other use cases where a "cheap" self-signed root CA (not using PKI) is used for e.g. a building installation - I say that both cases need to be supported by BRSKI.
> In the latter case, the self-signed limited-scope root CA will typically be used as the pinned-domain-cert. And the EST server will create certificates signed by this same root CA.
>
> Esko
>
> -----Original Message-----
> From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: Tuesday, March 31, 2020 22:42
> To: Benjamin Kaduk <kaduk@mit.edu>; The IESG <iesg@ietf.org>; draft-ietf-anima-bootstrapping-keyinfra@ietf.org; anima-chairs@ietf.org; anima@ietf.org; tte+ietf@cs.fau.de
> Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT)
>
>
> Benjamin Kaduk <kaduk@mit.edu> wrote:
>> My interpretation of "pinned-domain-cert is always a CA certificate" seems
>> to have persistent support throughout the text:
>
> I see how you might conclude that the pinned-domain-cert is always a CA
> certificate from the text, rather than being a trust-anchor that the pledge
> is to use to validate the chain that it got.
>
> It certainly can be a CA certificate. That does work, because when the
> pledge puts it into it's trust-anchor list, the result is that it is able to
> validate the TLS Server Certificate of the provisional TLS connection.
> But, it has no RFC6125 process it can follow to validate a name.
>
> It does not have to be *the* CA root certificate, it could be some
> intermediate CA if such a thing existed (such as an Enterprise CA), and in
> some cases, if this was a public trust root and there were no path
> constraints, that might actually be *insecure*, since that would authenticate
> any TLS connection.
>
> I think that this means that the voucher would be able to validate any
> owner within that public CA's list. It's okay if it's a private CA.
>
> Eliot says in the call:
> The pinned-domain-cert must include sufficient chain to validate the TLS
> connection. This certificate must only be used for this purpose.
> Longer use trust anchors are retrieved as part of the EST /cacerts request.
>
> My implementation of the MASA puts the EE certificate in which is as narrow
> as one can be. The Siemens implementation puts in the CA certificate, and we
> interoperate because of how we treat this on the pledge. Siemens has much
> stronger supply chain restrictions though.
>
>
>
> This is the diff that I would make.
> I am most concerned about the difference in the voucher:
>
> - <t hangText="pinned-domain-cert:">The domain CA cert. See <xref
> + <t hangText="pinned-domain-cert:">The domain's EE cert. See <xref
>
> Because this is too narrow rather than too wide now.
>
>
> diff --git a/dtbootstrap-anima-keyinfra.xml b/dtbootstrap-anima-keyinfra.xml
> index b800ec3..3bdf797 100644
> --- a/dtbootstrap-anima-keyinfra.xml
> +++ b/dtbootstrap-anima-keyinfra.xml
> @@ -2143,11 +2143,11 @@ locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]]]></artwork>
> The registrar's certificate chain is extracted from the signature
> method. The entire registrar certificate chain was
> included in the CMS structure, as specified in <xref target="RequestVoucherFromMASA" />.
> - This CA certificate will be used to populate the
> + The EE certificate will be used to populate the
> "pinned-domain-cert" of the voucher being issued.
> </t>
> <t>
> - If this domain CA is unknown to the MASA, then it is to be
> + If this domain's CA is unknown to the MASA, then it is to be
> considered a temporary trust anchor for the rest of the steps
> in this section. The intention is not to authenticate the
> message as having come from a fully validated origin, but
> @@ -2377,7 +2377,7 @@ INSERT_TEXT_FROM_FILE example-voucher.json END
> <t hangText="assertion:">The method used to verify the relationship
> between pledge and registrar. See <xref
> target="MASAassertion"/>.</t>
> - <t hangText="pinned-domain-cert:">The domain CA cert. See <xref
> + <t hangText="pinned-domain-cert:">The domain's EE cert. See <xref
> target="MASApinned"/>. This figure is illustrative, for an example,
> see <xref target="exampleprocess" /></t>
> <t hangText="serial-number:">The serial-number as provided in the
> @@ -2454,10 +2454,12 @@ INSERT_TEXT_FROM_FILE example-voucher.json END
> </section>
> <section anchor="PledgeAuthenticationOfProvisionalTLS"
> title="Pledge authentication of provisional TLS connection">
> - <t>The 'pinned-domain-cert' element of the voucher contains the domain
> - CA's public key. The pledge MUST use the 'pinned-domain-cert' trust
> - anchor to immediately complete authentication of the provisional TLS
> - connection.</t>
> + <t>
> + The 'pinned-domain-cert' element of the voucher contains the
> + domain CA's issued EE certificate. The pledge MUST use the
> + 'pinned-domain-cert' trust anchor to immediately complete
> + authentication of the provisional TLS connection.
> + </t>
> <t>If a registrar's credentials cannot be verified using the
> pinned-domain-cert trust anchor from the voucher then the TLS
> connection is immediately
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
- [Anima] Benjamin Kaduk's Discuss on draft-ietf-an… Benjamin Kaduk via Datatracker
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Brian E Carpenter
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Eliot Lear
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Max Pritikin (pritikin)
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Michael Richardson
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Esko Dijk
- [Anima] ACME integrations with BRSKI and cmcRA bit Michael Richardson
- Re: [Anima] ACME integrations with BRSKI and cmcR… Esko Dijk
- [Anima] ACME integrations with BRSKI and the cmcR… Michael Richardson
- Re: [Anima] ACME integrations with BRSKI and the … Esko Dijk
- Re: [Anima] [Acme] ACME integrations with BRSKI a… Deb Cooley
- Re: [Anima] [Acme] ACME integrations with BRSKI a… Michael Richardson