Closed stfries closed 3 years ago
stfries
commented
3 years ago stfries
commented
3 years ago Proposal to require the SKID to be included, as it can be used as a direct reference value without the need to define a specific algorithm. Will be included in the next version (02) of BRSKI-AE.
Note that this would be in addition to IEEE 802.1AR as here, the SKID is only required for intermediate CA certificates. In end entity certificates it should not be included as "Its omission conserves space and certificate chain building does not make use of it, even if present." For the application in BRSKI-AE the advantage would be the independence of the chosen hash algorithm and the avoidance of recalculating this fingerprint.
stfries
commented
3 years ago Agent-signing certificate referenced using SubjectKeyIdentifier in "kid". Included as requirement for the LdevID(RegAgt) EE certificate.
{
"alg": "ES256",
"kid": "base64encodedvalue=="
}
{
"ietf-voucher-request-trigger:agent-signed-data": {
"created-on": "2021-04-16T00:00:01.000Z",
"serial-number": "callee4711" }
}
{
SIGNATURE
}
Reflected in BRSKI-AE draft version 02
In #9 we discussed to include agent-signed-data into the trigger and the pledge voucher request to address proximity between the registrar-agent and the pledge. This signed object is a JWS-object containing a reference to the utilized agent signing certificate.
The question is if this reference should be "x5t" containing the certificate hash or a "kid" containing the SubjectKeyIdentifier of the agent signing certificate.
Example: