Closed mkovatsc closed 5 months ago
mcr
commented
5 months ago Hi, there is way too many comments for me to catch up: sorry.
"End Entity (EE) Certificate" refers to any certificate that isn't a CA. I understand you keep referring to the certificate that the Registrar-Agent has as an LDevID, but I really don't think it should be called that. It's a Registar-Agent EE Certificate, and I think that they won't be provisioned quite the same way that device LDevIDs are.
stfries
commented
5 months ago Hi Michael,
I'm currently addressing Matthias comments from the Shepherds review. He had several comments regarding the terminology of EE certificates and IDevID/ LDevID certificates used in the draft. In the terminology part we explained that the EE certificate is either an IDevID certificate or an LDevID certificate. As the registrar-agent and the registrar only used operational certificates, the conclusion in our discussion was to then state it as LDevID certificate (in the more general sense as X.509 certificate). We looked into RFC 8995 terminology and there for IDevID and LDevID there is a statement that the terminology is used from 802.1AR but not that it conforms to the specification. In that sense we said the LDevID may be used for the operational certificate. Matthias and I also discussed that the service interface of the DevID is often neglected when using the term DevID. Your comment points directly to that service interface.
Based on that, do you think we should rather change the terminology to have the EE certificate explained as "leaf certificate which may be an IDevID certificate or LDevID certificate for a pledge or a client certificate or server certificate for an infrastructure component." An then to use EE certificate for infrastructure components?
This would require changing LDevID occurrences for infrastructure components throughout the document but may be better for the terminology. Hm, Matthias and I have a further session today and will discuss it.
From: Michael Richardson @.> Sent: Thursday, July 4, 2024 12:54 AM To: anima-wg/anima-brski-prm @.> Cc: Fries, Steffen (T CST) @.>; Comment @.> Subject: Re: [anima-wg/anima-brski-prm] WIP: Shepherd Review 3 (PR #133)
Hi, there is way too many comments for me to catch up: sorry.
"End Entity (EE) Certificate" refers to any certificate that isn't a CA. I understand you keep referring to the certificate that the Registrar-Agent has as an LDevID, but I really don't think it should be called that. It's a Registar-Agent EE Certificate, and I think that they won't be provisioned quite the same way that device LDevIDs are.
- Reply to this email directly, view it on GitHubhttps://github.com/anima-wg/anima-brski-prm/pull/133#issuecomment-2207437870, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJEUR5K44EVK627LZK3GUITZKR6IZAVCNFSM6AAAAABJ4ZVB2SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBXGQZTOOBXGA. You are receiving this because you commented.Message ID: @.**@.>>
mkovatsc
commented
5 months ago @mcr
Hi, there is way too many comments for me to catch up: sorry.
"End Entity (EE) Certificate" refers to any certificate that isn't a CA. I understand you keep referring to the certificate that the Registrar-Agent has as an LDevID, but I really don't think it should be called that. It's a Registar-Agent EE Certificate, and I think that they won't be provisioned quite the same way that device LDevIDs are.
My biggest issue with "EE certificate" was that it has been defined as "Either IDevID certificate or LDevID certificate of the EE" in the Terminology section. This does not even fit your description, but moreover did it lose the most important aspect: that it is a domain certificate signed by the domain CA when referring to Registrar-Agent or Domain Registrar.
To not always having to say "domain EE certificate", e.g., "Registrar-Agent domain EE certificate", we could maybe change the definition in the Terminology section to:
EE certificate: : the certificate of the EE signed by its owner (e.g., CA). For domain components, the EE certificate is signed by the domain owner. For the pledge, the EE certficate is either the IDevID certificate signed by the manufacturer or the LDevID certificate signed by the domain owner.
mkovatsc
commented
5 months ago Dear @mcr I just pushed an update that changes most occurrences of "LDevID" back to "EE", but also included a new definition for the term "EE certificate" that clarifies the different aspects of EE certs, in particular if signed by domain owner. Please check, e.g., in full document in branch
Comments to discuss are coming in dynamically while improving the document in multiple steps.