[Hipsec] X.509 CSR in HIP registration

Robert Moskowitz <rgm@htt-consult.com> Wed, 21 August 2019 20:46 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3EF71200B1 for <hipsec@ietfa.amsl.com>; Wed, 21 Aug 2019 13:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9eAszb9pf_A for <hipsec@ietfa.amsl.com>; Wed, 21 Aug 2019 13:46:31 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA459120091 for <hipsec@ietf.org>; Wed, 21 Aug 2019 13:46:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 5906C62110 for <hipsec@ietf.org>; Wed, 21 Aug 2019 16:46:30 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id OcZtMuGYHrKW for <hipsec@ietf.org>; Wed, 21 Aug 2019 16:46:28 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 3B99760933 for <hipsec@ietf.org>; Wed, 21 Aug 2019 16:46:26 -0400 (EDT)
To: HIP <hipsec@ietf.org>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <b8d1653c-7a9b-10c5-4386-8f1f59ee013d@htt-consult.com>
Date: Wed, 21 Aug 2019 16:46:17 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/xFj3TBblgIbdsFYqMVFYPk31YqQ>
Subject: [Hipsec] X.509 CSR in HIP registration
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 20:46:35 -0000

I have been working on my Hierarchical HIT drafts.  I have been testing 
building x.509 certs with them as the SAN.  Thing is were do these certs 
come from?

So I moved on to when the device uses HIP Registration to register the 
HHIT to its Registry, it could present a CSR in the payload and if 
successfully registered (no duplicate HIT and policy test passes), would 
receive the cert back.

Has anyone looked at this in the past?  8002 assumes the cert was 
created some other way.  I am looking at the cert as a sort of proof of 
registration.

Opinions?

Bob