Skip to content

Commit 5bfdb1a

Browse files
bluegate010bluegate010
committed
Move CSR parenthetical to the top, add reference to PKCS#10.
1 parent f13e232 commit 5bfdb1a

File tree

1 file changed

+2
-2
lines changed
  • specifications/device-identity-provisioning

1 file changed

+2
-2
lines changed

specifications/device-identity-provisioning/spec.ocp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ TODO: fill in
178178

179179
## Establishing trust in a selected identity keypair {#sec:establishing-trust-in-identity}
180180

181-
To allow a remote party to establish trust in a selected keypair, the device can emit a CSR. This is supported in SPDM 1.3 [@{spdm-1.3}] via the GET_CSR command. However, there is a drawback to GET_CSR as it is currently defined: the CSR is signed only by the subject key, and does not include a way to attest that the CSR was emitted from a given device.
181+
To allow a remote party to establish trust in a selected keypair, the device can emit a Certification Signing Request (CSR) [@{pkcs-10}]. This is supported in SPDM 1.3 [@{spdm-1.3}] via the GET_CSR command. However, there is a drawback to GET_CSR as it is currently defined: the CSR is signed only by the subject key, and does not include a way to attest that the CSR was emitted from a given device.
182182

183183
To allow a device to attest that a given key is trustworthy, the device should issue its own signature over the public key, which can include a freshness nonce and additional metadata, such as the key's derivation attribute OID.
184184

@@ -302,7 +302,7 @@ The EnvelopeSignedCSRdata shall adhere to the following requirements:
302302
- The EAT SHALL conform to the OCP Envelope-Signed CSR EAT profile (TODO: OCP to assign OID for this profile).
303303
- The EAT SHALL include standard claims for issuer identification and nonce for freshness verification.
304304
- The EAT SHALL include private claims[^private-claims] containing:
305-
- The Certification Signing Request (CSR) as a byte string
305+
- The CSR as a byte string
306306
- An array of OIDs representing the key's derivation attributes (see @sec:key-derivation-attribute-oids for defined OIDs)
307307
- The CSR included in the EAT SHALL be DER-encoded and may be either self-signed or non-self-signed depending on device capabilities. For non-self-signed CSRs, the signature field SHALL contain all zeroes and be the same size as would be required for a valid signature using the subject key's algorithm.
308308
- The nonce claim SHALL match the nonce value provided in the GET_ENVELOPE_SIGNED_CSR request to ensure freshness.

0 commit comments

Comments
 (0)