YANG definition of agent-signed-data

[stfries]

Discovered during addressing Shepherd review comments in BRSKI-PRM:

Section 8.2 in the description of the agent-signed-data: Current Text:

          leaf agent-signed-data {
             type binary;
             description
               "The agent-signed-data field contains a JOSE [RFC7515]
                object provided by the Registrar-Agent to the Pledge.

                This artifact is signed by the Registrar-Agent
                and contains a copy of the pledge's serial-number.";
           }

The description describes a JOSE object, although it is included as binary. BRSKI-PRM currently uses JOSE, but we should be open to also use other approaches like COSE. Proposal to rewrite to

          leaf agent-signed-data {
             type binary;
             description
               "The agent-signed-data field contains a data artifact provided 
            by the Registrar-Agent to the Pledge for inclusion into the 
                voucher request.

               This artifact is signed by the Registrar-Agent and should contains 
               data, which can be verified by the pledge and the registrar like a 
               copy of the pledge's serial-number.

        The format is intentionally defined as binary to allow 
        the document using this leaf to determine the encoding.";
           }

[mkovatsc]

My 3rd shepherd review iteration will depend on this change. To me, it appears important to define here that also the SubjectKeyIdentifier of the Registrar-Agent EE certificate shall be included, independent from the format:

          leaf agent-signed-data {
             type binary;
             description
               "The agent-signed-data field contains an authenticated
            self-contained object signed by the Registrar-Agent and
            provided to the Pledge for inclusion into the voucher-request.

                It contains at least the SubjectKeyIdentifier of the
                Registrar-Agent EE certificate and the serial-number of the
                pledge to verify and log which Registrar-Agent was in contact
                with the pledge.

        The format is intentionally defined as binary to allow 
        the document using this leaf to determine the encoding.";
           }

(Note that I am currently still confused by the extensive use of "Registrar-Agent EE certificate" in the BRSKI-PRM document, while it is stated that it MUST be the LDevID for the Agent-Proximity Assertion to work.)

[stfries]

In BRSKI-PRM the transmission of the SubjectKeyIdentifier associated with the Registrar-Agent EE certificate has been discussed in favor of transporting the complete certificate. The Registrar-EE certificate would have been provided in the header of the agent-signed-data part and was consequently changed to the SubjectKeyIdentifier.

To my understanding, it would therefore not be part of the description of the agent-signed-data leaf. I Updated the leaf description to also contain the created on date.

          leaf agent-signed-data {
             type binary;
             description
               "The agent-signed-data field contains a data artifact provided 
            by the Registrar-Agent to the Pledge for inclusion into the 
                voucher request.

               This artifact is signed by the Registrar-Agent and contains 
               data, which can be verified by the pledge and the registrar. 
               This data contains the pledge's serial-number and a created-on
               information of the agent-signed-data.

        The format is intentionally defined as binary to allow 
        the document using this leaf to determine the encoding.";
           }

Note that the Registrar-Agent EE certificate is the same as the LDevID(RegAgt). We changed to use Registrar-Agent EE certificate in version 09 of BRSKI_PRM instead of LDevID(RegAgt).

[stfries]

changed text looks good for me.

[stfries]

can be closed