EntrustCorporation / draft-rats-pkix-evidence

An IETF Internet Draft specifying a standardized attestation evidence format intended for HSMs and other cryptographic devices
Other
1 stars 1 forks source link

Add a section on cert profile #11

Open ounsworth opened 3 months ago

ounsworth commented 3 months ago

We should add a section that describes what CA/RAs are supposed to do with this attestation data. IE we expect that any sort of evidence can be carried in a CSR, and the CA/RA is expected to apply its cert policy / CPS to decide if this evidence meets the bar for issuing this certificate.

nedmsmith commented 3 months ago

It seems that description combines the verifier and RP roles in the CA. It would be nice if both roles are described separately. For example the CA forwards evidence to an internal Verifier that returns an attestation result. Th CA then determines whether to issue a certificate based on the Attestation Results.

In a more complex use case, an RA might embed the Verifier and the Attestation Results flow to the CA...