You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Make OIDs plural throughout.
- Update the diagram to refer to EAT.
- Correct the EAT reference ID in bibliography.yaml.
- Minor shuffling of references.
Copy file name to clipboardExpand all lines: specifications/device-identity-provisioning/spec.ocp
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -180,15 +180,15 @@ TODO: fill in
180
180
181
181
To allow a remote party to establish trust in a selected keypair, the device can emit a Certification Signing Request (CSR) [@{pkcs-10}]. This is supported in SPDM 1.3 [@{spdm-1.3}] via the GET_CSR command. However, there is a drawback to GET_CSR as it is currently defined: the CSR is signed only by the subject key, and does not include a way to attest that the CSR was emitted from a given device.
182
182
183
-
To allow a device to attest that a given key is trustworthy, the device should issue its own signature over the public key, which can include a freshness nonce and additional metadata, such as the key's derivation attribute OID.
183
+
To allow a device to attest that a given key is trustworthy, the device should issue its own signature over the public key, which can include a freshness nonce and additional metadata, such as the key's derivation attribute OIDs.
The CSR is included as a claim of a CBOR Web Token [@{ietf-cwt}].
187
+
The CSR is included as a claim in an Entity Attestation Token (EAT) [@{ietf-eat}].
188
188
189
-
Metadata such as the key's derivation attribute OID can also be embedded in a CoRIM. The mechanism for this is out of scope of this specification.
189
+
Metadata such as the key's derivation attribute OIDs can also be embedded in a CoRIM. The mechanism for this is out of scope of this specification.
190
190
191
-
Some devices may not support the generation of self-signed CSRs for certain keys in their identity key hierarchy, such as LDevID. To support such devices, this specification defines a "non-self-signed CSR", which includes the subject public key but an all-zeroes signature field. The non-self-signed CSR is still itself signed, by way of the Conceptual Message Wrapper.
191
+
Some devices may not support the generation of self-signed CSRs for certain keys in their identity key hierarchy, such as LDevID. To support such devices, this specification defines a "non-self-signed CSR", which includes the subject public key but an all-zeroes signature field. The non-self-signed CSR is still itself signed, by way of the EAT.
The EnvelopeSignedCSRdata shall adhere to the following requirements:
300
300
301
-
- The payload SHALL be an Entity Attestation Token (EAT) [@{ietf-rats-eat}] encoded as a CBOR Web Token (CWT) [@{ietf-cwt}].
301
+
- The payload SHALL be an EAT encoded as a CBOR Web Token (CWT) [@{ietf-cwt}].
302
302
- The EAT SHALL conform to the OCP Envelope-Signed CSR EAT profile (TODO: OCP to assign OID for this profile).
303
303
- The EAT SHALL include standard claims for issuer identification and nonce for freshness verification.
304
304
- The EAT SHALL include private claims[^private-claims] containing:
@@ -310,7 +310,7 @@ The EnvelopeSignedCSRdata shall adhere to the following requirements:
310
310
- E.g., Slot 0's certificate chain would extend at least to the vendor-endorsed certificate over IDevID. A separate slot's certificate chain would extend at least to the certificate issued by the slot's configured PKI owner.
311
311
- A device may report intermediate certificates for the slot's PKI owner if it is configured to do so.
312
312
313
-
[^private-claims]: RFC 8392 defines a private claim as one whose key value has an integer value < -65536.
313
+
[^private-claims]: RFC 8392 [@{ietf-cwt}] defines a private claim as one whose key value has an integer value < -65536.
0 commit comments