Closed malishav closed 8 months ago
Using G_Y
, i.e. the EDHOC ephemeral key of the responder, to generate the PoP in the CSR would bind the current run of EDHOC to the enrollment request: Similarly to #17 this does not play nicely with re-enrollment because EDHOC may not be executed during re-enrollment.
However, since the client (EDHOC Initiator) authenticated the server (EDHOC Responder) during the execution of EDHOC, the client must know the server's CRED_R
. Therefore, as a possible optimization, the client can use the server's CRED_R
to generate a PoP in its CSR, and skip querying the /crts
resource. Would that make sense @emanjon?
CC: @gselander
Proposal:
G_Y
of the server/Responder to generate PoP./crts
( if a combined delivery through draft-ietf-core-oscore-edhoc is being used, we are already in the EDHOC session and G_Y
is readily available.)
From John Mattsson's review (https://mailarchive.ietf.org/arch/msg/ace/h85KdNLkMxqzCZjJlY-fGlPEyVw/):