[openssl-users] Another problem with openssl x509 -req -- default_enddate

Michael Richardson mcr at sandelman.ca
Thu Aug 31 01:22:54 UTC 2017 

Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
    > So indeed, you'd not be the first to consider a special-purpose
    > concise format.  It is somewhat surprising that the applications
    > you're considering use X.509 certificates at all, rather than just
    > raw public keys.  With expiration times in the year "9999", the
    > extra bloat of certificates is perhaps just useless baggage.

We are leveraging the political unity behind 802.1AR (which defines the
IDevID). As a profile it's pretty thin, relying extensively (but
appropriately) on IETF documents,  yet still leaving a bunch of stuff rather
under-specified.

While devices possessing IDevIDs don't need all the cert chain stuff,
the network infrastructure validating them may need it.  Given supply chain
complexity, it could well be in the IDevID that linking back to the
manufacturer requires a chain of certificates.  (My KitchenAid dishwasher is
made and serviced by Whirlpool, but was sold to me by Sears.  I'd expect
Sears' certificate to be in the electronic invoice)

    > Admittedly, I don't know how the security model in question relates
    > to the real-world constraints of the supply chain, who gets to sign
    > certificates for devices allowed to participate, and whether a
    > certificateless public key database might have been a realistic
    > option.

No, it's just not.
In the 6tisch (constrained) version of BRSKI, which is at:
   https://bitbucket.org/6tisch/draft-richardson-6tisch-dtsecurity-secure-join/src/b84347549d469806067cf60b323444f97a98ee83/dtsecurity-zerotouch-join-00.txt?at=master&fileviewer=file-view-default
until the rename of the document is approved.  Section 2.2 explains that the
constrained device will have/need only the raw public key of the manufacturer, and
will treat the IDevID as a blob.  The private key should be stored in
whatever form is most convenient for computation, like the Apple boot loader
does.   Still, some people will have TPMs with complicated interfaces.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170830/c733bf52/attachment.sig>

More information about the openssl-users mailing list