draft-ietf-anima-bootstrapping-keyinfra-09.txt   draft-ietf-anima-bootstrapping-keyinfra-10.txt 
ANIMA WG M. Pritikin ANIMA WG M. Pritikin
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track M. Richardson Intended status: Standards Track M. Richardson
Expires: May 3, 2018 SSW Expires: August 17, 2018 SSW
M. Behringer M. Behringer
Cisco
S. Bjarnason S. Bjarnason
Arbor Networks Arbor Networks
K. Watsen K. Watsen
Juniper Networks Juniper Networks
October 30, 2017 February 13, 2018
Bootstrapping Remote Secure Key Infrastructures (BRSKI) Bootstrapping Remote Secure Key Infrastructures (BRSKI)
draft-ietf-anima-bootstrapping-keyinfra-09 draft-ietf-anima-bootstrapping-keyinfra-10
Abstract Abstract
This document specifies automated bootstrapping of a remote secure This document specifies automated bootstrapping of a remote secure
key infrastructure (BRSKI) using vendor installed X.509 certificate, key infrastructure (BRSKI) using vendor installed X.509 certificate,
in combination with a vendor's authorizing service, both online and in combination with a vendor's authorizing service, both online and
offline. Bootstrapping a new device can occur using a routable offline. Bootstrapping a new device can occur using a routable
address and a cloud service, or using only link-local connectivity, address and a cloud service, or using only link-local connectivity,
or on limited/disconnected networks. Support for lower security or on limited/disconnected networks. Support for lower security
models, including devices with minimal identity, is described for models, including devices with minimal identity, is described for
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018. This Internet-Draft will expire on August 17, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Other Bootstrapping Approaches . . . . . . . . . . . . . 5 1.1. Other Bootstrapping Approaches . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Scope of solution . . . . . . . . . . . . . . . . . . . . 8 1.3. Scope of solution . . . . . . . . . . . . . . . . . . . . 8
1.4. Leveraging the new key infrastructure / next steps . . . 9 1.4. Leveraging the new key infrastructure / next steps . . . 9
2. Architectural Overview . . . . . . . . . . . . . . . . . . . 9 2. Architectural Overview . . . . . . . . . . . . . . . . . . . 10
2.1. Behavior of a Pledge . . . . . . . . . . . . . . . . . . 11 2.1. Behavior of a Pledge . . . . . . . . . . . . . . . . . . 11
2.2. Secure Imprinting using Vouchers . . . . . . . . . . . . 12 2.2. Secure Imprinting using Vouchers . . . . . . . . . . . . 13
2.3. Initial Device Identifier . . . . . . . . . . . . . . . . 13 2.3. Initial Device Identifier . . . . . . . . . . . . . . . . 14
2.4. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 14 2.4. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 15
2.4.1. Architectural component: Pledge . . . . . . . . . . . 16 2.4.1. Architectural component: Pledge . . . . . . . . . . . 17
2.4.2. Architectural component: Circuit Proxy . . . . . . . 16 2.4.2. Architectural component: Circuit Proxy . . . . . . . 17
2.4.3. Architectural component: Domain Registrar . . . . . . 16 2.4.3. Architectural component: Domain Registrar . . . . . . 17
2.4.4. Architectural component: Vendor Service . . . . . . . 16 2.4.4. Architectural component: Vendor Service . . . . . . . 17
2.5. Lack of realtime clock . . . . . . . . . . . . . . . . . 16 2.5. Lack of realtime clock . . . . . . . . . . . . . . . . . 17
2.6. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 17 2.6. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 18
2.7. Determining the MASA to contact . . . . . . . . . . . . . 17 2.7. Determining the MASA to contact . . . . . . . . . . . . . 18
3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 18 3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 19
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 18 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 19
3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 19 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 21 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Proxy details . . . . . . . . . . . . . . . . . . . . . . . . 23 4. Proxy details . . . . . . . . . . . . . . . . . . . . . . . . 24
4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 24 4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 25
4.1.1. Proxy Grasp announcements . . . . . . . . . . . . . . 25 4.1.1. Proxy Grasp announcements . . . . . . . . . . . . . . 26
4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 26 4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 27
4.3. HTTPS proxy connection to Registrar . . . . . . . . . . . 26 4.3. HTTPS proxy connection to Registrar . . . . . . . . . . . 27
4.4. Proxy discovery of Registrar . . . . . . . . . . . . . . 26 4.4. Proxy discovery of Registrar . . . . . . . . . . . . . . 28
5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 28 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 29
5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 30 5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 31
5.2. Pledge Requests Voucher from the Registrar . . . . . . . 30 5.2. Pledge Requests Voucher from the Registrar . . . . . . . 31
5.3. BRSKI-MASA TLS establishment details . . . . . . . . . . 31 5.3. BRSKI-MASA TLS establishment details . . . . . . . . . . 33
5.4. Registrar Requests Voucher from MASA . . . . . . . . . . 32 5.4. Registrar Requests Voucher from MASA . . . . . . . . . . 33
5.5. Voucher Response . . . . . . . . . . . . . . . . . . . . 35 5.5. Voucher Response . . . . . . . . . . . . . . . . . . . . 36
5.5.1. Completing authentication of Provisional TLS 5.5.1. Completing authentication of Provisional TLS
connection . . . . . . . . . . . . . . . . . . . . . 36 connection . . . . . . . . . . . . . . . . . . . . . 37
5.6. Voucher Status Telemetry . . . . . . . . . . . . . . . . 37 5.6. Voucher Status Telemetry . . . . . . . . . . . . . . . . 38
5.7. MASA authorization log Request . . . . . . . . . . . . . 38 5.7. MASA authorization log Request . . . . . . . . . . . . . 39
5.7.1. MASA authorization log Response . . . . . . . . . . . 39 5.7.1. MASA authorization log Response . . . . . . . . . . . 40
5.8. EST Integration for PKI bootstrapping . . . . . . . . . . 40 5.8. EST Integration for PKI bootstrapping . . . . . . . . . . 41
5.8.1. EST Distribution of CA Certificates . . . . . . . . . 40 5.8.1. EST Distribution of CA Certificates . . . . . . . . . 42
5.8.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 40 5.8.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 42
5.8.3. EST Client Certificate Request . . . . . . . . . . . 41 5.8.3. EST Client Certificate Request . . . . . . . . . . . 43
5.8.4. Enrollment Status Telemetry . . . . . . . . . . . . . 41 5.8.4. Enrollment Status Telemetry . . . . . . . . . . . . . 43
5.8.5. EST over CoAP . . . . . . . . . . . . . . . . . . . . 43 5.8.5. EST over CoAP . . . . . . . . . . . . . . . . . . . . 44
6. Reduced security operational modes . . . . . . . . . . . . . 43 6. Reduced security operational modes . . . . . . . . . . . . . 44
6.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 43 6.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 44
6.2. Pledge security reductions . . . . . . . . . . . . . . . 44 6.2. Pledge security reductions . . . . . . . . . . . . . . . 45
6.3. Registrar security reductions . . . . . . . . . . . . . . 44 6.3. Registrar security reductions . . . . . . . . . . . . . . 46
6.4. MASA security reductions . . . . . . . . . . . . . . . . 45 6.4. MASA security reductions . . . . . . . . . . . . . . . . 47
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
7.1. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 46 7.1. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 48
7.2. Voucher Status Telemetry . . . . . . . . . . . . . . . . 46 7.2. Voucher Status Telemetry . . . . . . . . . . . . . . . . 48
8. Security Considerations . . . . . . . . . . . . . . . . . . . 47 8. Security Considerations . . . . . . . . . . . . . . . . . . . 48
8.1. Freshness in Voucher-Requests . . . . . . . . . . . . . . 48 8.1. Freshness in Voucher-Requests . . . . . . . . . . . . . . 50
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 50 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.1. Normative References . . . . . . . . . . . . . . . . . . 50 10.1. Normative References . . . . . . . . . . . . . . . . . . 51
10.2. Informative References . . . . . . . . . . . . . . . . . 52 10.2. Informative References . . . . . . . . . . . . . . . . . 54
Appendix A. IPv4 operations . . . . . . . . . . . . . . . . . . 54 Appendix A. IPv4 operations . . . . . . . . . . . . . . . . . . 55
A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 54 A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 55
A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 54 A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 55
Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 54 Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 55
Appendix C. IPIP Join Proxy mechanism . . . . . . . . . . . . . 55 Appendix C. IPIP Join Proxy mechanism . . . . . . . . . . . . . 56
C.1. Multiple Join networks on the Join Proxy side . . . . . . 55 C.1. Multiple Join networks on the Join Proxy side . . . . . . 57
C.2. Automatic configuration of tunnels on Registrar . . . . . 56 C.2. Automatic configuration of tunnels on Registrar . . . . . 57
C.3. Proxy Neighbor Discovery by Join Proxy . . . . . . . . . 56 C.3. Proxy Neighbor Discovery by Join Proxy . . . . . . . . . 58
C.4. Use of connected sockets; or IP_PKTINFO for CoAP on C.4. Use of connected sockets; or IP_PKTINFO for CoAP on
Registrar . . . . . . . . . . . . . . . . . . . . . . . . 57 Registrar . . . . . . . . . . . . . . . . . . . . . . . . 58
C.5. Use of socket extension rather than virtual interface . . 57 C.5. Use of socket extension rather than virtual interface . . 58
Appendix D. MUD Extension . . . . . . . . . . . . . . . . . . . 57 Appendix D. MUD Extension . . . . . . . . . . . . . . . . . . . 59
Appendix E. Example Vouchers . . . . . . . . . . . . . . . . . . 59 Appendix E. Example Vouchers . . . . . . . . . . . . . . . . . . 61
E.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 59 E.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 61
E.1.1. MASA key pair for voucher signatures . . . . . . . . 59 E.1.1. MASA key pair for voucher signatures . . . . . . . . 61
E.1.2. Manufacturer key pair for IDevID signatures . . . . . 59 E.1.2. Manufacturer key pair for IDevID signatures . . . . . 61
E.1.3. Registrar key pair . . . . . . . . . . . . . . . . . 60 E.1.3. Registrar key pair . . . . . . . . . . . . . . . . . 62
E.1.4. Pledge key pair . . . . . . . . . . . . . . . . . . . 62 E.1.4. Pledge key pair . . . . . . . . . . . . . . . . . . . 64
E.2. Example process . . . . . . . . . . . . . . . . . . . . . 64 E.2. Example process . . . . . . . . . . . . . . . . . . . . . 65
E.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 64 E.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 65
E.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 66 E.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 71
E.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 67 E.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 77
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82
1. Introduction 1. Introduction
BRSKI provides a foundation to securely answer the following BRSKI provides a foundation to securely answer the following
questions between an element of the network domain called the questions between an element of the network domain called the
"Registrar" and an unconfigured and untouched device called a "Registrar" and an unconfigured and untouched device called a
"Pledge": "Pledge":
o Registrar authenticating the Pledge: "Who is this device? What is o Registrar authenticating the Pledge: "Who is this device? What is
its identity?" its identity?"
skipping to change at page 8, line 7 skipping to change at page 8, line 7
vouchers as described in [I-D.ietf-anima-voucher] vouchers as described in [I-D.ietf-anima-voucher]
IDevID: An Initial Device Identity X.509 certificate installed by IDevID: An Initial Device Identity X.509 certificate installed by
the vendor on new equipment. the vendor on new equipment.
TOFU: Trust on First Use. Used similarly to [RFC7435]. This is TOFU: Trust on First Use. Used similarly to [RFC7435]. This is
where a Pledge device makes no security decisions but rather where a Pledge device makes no security decisions but rather
simply trusts the first Registrar it is contacted by. This is simply trusts the first Registrar it is contacted by. This is
also known as the "resurrecting duckling" model. also known as the "resurrecting duckling" model.
nonced: a voucher (or request) that contains a nonce (the normal
case).
nonceless: a voucher (or request) that does not contain a nonce,
relying upon accurate clocks for expiration, or which does not
expire.
1.3. Scope of solution 1.3. Scope of solution
Questions have been posed as to whether this solution is suitable in Questions have been posed as to whether this solution is suitable in
general for Internet of Things (IoT) networks. This depends on the general for Internet of Things (IoT) networks. This depends on the
capabilities of the devices in question. The terminology of capabilities of the devices in question. The terminology of
[RFC7228] is best used to describe the boundaries. [RFC7228] is best used to describe the boundaries.
The solution described in this document is aimed in general at non- The solution described in this document is aimed in general at non-
constrained (i.e. class 2+) devices operating on a non-Challenged constrained (i.e. class 2+) devices operating on a non-Challenged
network. The entire solution as described here is not intended to be network. The entire solution as described here is not intended to be
skipping to change at page 16, line 13 skipping to change at page 17, line 13
| Continue with RFC7030 enrollment | | | Continue with RFC7030 enrollment | |
| using now bidirectionally authenticated | | | using now bidirectionally authenticated | |
| TLS session. | | | | TLS session. | | |
| | | | | | | |
Figure 3 Figure 3
2.4.1. Architectural component: Pledge 2.4.1. Architectural component: Pledge
The Pledge is the device which is attempting to join. Until the The Pledge is the device which is attempting to join. Until the
pledge completes the enrollment process, it does has network pledge completes the enrollment process, it has network connectivity
connectivity only to the Proxy. only to the Proxy.
2.4.2. Architectural component: Circuit Proxy 2.4.2. Architectural component: Circuit Proxy
The (Circuit) Proxy provides HTTPS connectivity between the pledge The (Circuit) Proxy provides HTTPS connectivity between the pledge
and the registrar. The proxy mechanism is described in Section 4, and the registrar. The proxy mechanism is described in Section 4,
with an optional stateless mechanism described in Appendix C. with an optional stateless mechanism described in Appendix C.
2.4.3. Architectural component: Domain Registrar 2.4.3. Architectural component: Domain Registrar
The Domain Registrar (having the formal name Join Registrar/ The Domain Registrar (having the formal name Join Registrar/
skipping to change at page 21, line 10 skipping to change at page 22, line 10
"idevid-issuer": "base64encodedvalue==" "idevid-issuer": "base64encodedvalue=="
"serial-number": "JADA123456789" "serial-number": "JADA123456789"
} }
} }
3.3. YANG Module 3.3. YANG Module
Following is a YANG [RFC7950] module formally extending the Following is a YANG [RFC7950] module formally extending the
[I-D.ietf-anima-voucher] voucher into a voucher-request. [I-D.ietf-anima-voucher] voucher into a voucher-request.
<CODE BEGINS> file "ietf-voucher-request@2017-10-30.yang" <CODE BEGINS> file "yang/ietf-voucher-request@2018-02-13.yang"
module ietf-voucher-request { module ietf-voucher-request {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-voucher-request"; "urn:ietf:params:xml:ns:yang:ietf-voucher-request";
prefix "vch"; prefix "vch";
import ietf-restconf { import ietf-restconf {
prefix rc; prefix rc;
description description
skipping to change at page 22, line 18 skipping to change at page 23, line 18
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
modification, is permitted pursuant to, and subject to the license modification, is permitted pursuant to, and subject to the license
terms contained in, the Simplified BSD License set forth in Section terms contained in, the Simplified BSD License set forth in Section
4.c of the IETF Trust's Legal Provisions Relating to IETF Documents 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices."; itself for full legal notices.";
revision "2017-10-30" { revision "2018-02-13" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: Voucher Profile for Bootstrapping Protocols"; "RFC XXXX: Voucher Profile for Bootstrapping Protocols";
} }
// Top-level statement // Top-level statement
rc:yang-data voucher-request-artifact { rc:yang-data voucher-request-artifact {
uses voucher-request-grouping; uses voucher-request-grouping;
} }
skipping to change at page 25, line 45 skipping to change at page 26, line 45
Once all discovered services are attempted the device SHOULD return Once all discovered services are attempted the device SHOULD return
to listening for GRASP M_FLOOD. It should periodically retry the to listening for GRASP M_FLOOD. It should periodically retry the
vendor specific mechanisms. The Pledge MAY prioritize selection vendor specific mechanisms. The Pledge MAY prioritize selection
order as appropriate for the anticipated environment. order as appropriate for the anticipated environment.
4.1.1. Proxy Grasp announcements 4.1.1. Proxy Grasp announcements
A proxy uses the GRASP M_FLOOD mechanism to announce itself. The A proxy uses the GRASP M_FLOOD mechanism to announce itself. The
pledge SHOULD listen for messages of these form. This announcement pledge SHOULD listen for messages of these form. This announcement
can be within the same message as the ACP announcement detailed in can be within the same message as the ACP announcement detailed in
[I-D.ietf-anima-autonomic-control-plane]. [I-D.ietf-anima-autonomic-control-plane]. The M_FLOOD is formatted
as follows:
proxy-objective = ["AN_Proxy", [ O_IPv6_LOCATOR, ipv6-address, [M_FLOOD, 12340815, h'fe80::1', 180000,
transport-proto, port-number ] ] ["AN_Proxy", 4, 1, ""],
[O_IPv6_LOCATOR,
h'fe80::1', 'TCP', 4443]]
ipv6-address - the v6 LL of the proxy Figure 6b: Proxy Discovery
transport-proto - 6, for TCP 17 for UDP
port-number - the TCP or UDP port number to find the proxy
Figure 5 The formal CDDL definition is:
flood-message = [M_FLOOD, session-id, initiator, ttl,
+[objective, (locator-option / [])]]
objective = ["AN_Proxy", objective-flags, loop-count,
objective-value]
ttl = 180000 ; 180,000 ms (3 minutes)
initiator = ACP address to contact Registrar
objective-flags = sync-only ; as in GRASP spec
sync-only = 4 ; M_FLOOD only requires synchronization
loop-count = 1 ; one hop only
objective-value = any ; none
locator = [ O_IPv6_LOCATOR, ipv6-address,
transport-proto, port-number ]
ipv6-address = the v6 LL of the proxy
transport-proto = IPPROTO_TCP / IPPROTO_UDP / IPPROTO_IPV6
port-number = selected by proxy
Figure 6c: AN_Proxy CDDL
4.2. CoAP connection to Registrar 4.2. CoAP connection to Registrar
The use of CoAP to connect from Pledge to Registrar is out of scope The use of CoAP to connect from Pledge to Registrar is out of scope
for this document, and may be described in future work. for this document, and may be described in future work.
4.3. HTTPS proxy connection to Registrar 4.3. HTTPS proxy connection to Registrar
The proxy SHOULD also provide one of: an IPIP encapsulation of HTTP The proxy SHOULD also provide one of: an IPIP encapsulation of HTTP
traffic to the registrar, or a TCP circuit proxy that connects the traffic to the registrar, or a TCP circuit proxy that connects the
skipping to change at page 30, line 38 skipping to change at page 32, line 5
5.2. Pledge Requests Voucher from the Registrar 5.2. Pledge Requests Voucher from the Registrar
When the Pledge bootstraps it makes a request for a Voucher from a When the Pledge bootstraps it makes a request for a Voucher from a
Registrar. Registrar.
This is done with an HTTPS POST using the operation path value of This is done with an HTTPS POST using the operation path value of
"/.well-known/est/requestvoucher". "/.well-known/est/requestvoucher".
The request media types are: The request media types are:
application/pkcs7-mime; smime-type=voucher-request The request is a application/voucher-cms+json The request is a "YANG-defined JSON
"YANG-defined JSON document that has been signed using a PKCS#7 document that has been signed using a CMS structure" as described
structure" as described in Section 3 using the JSON encoding in Section 3 using the JSON encoding described in [RFC7951]. The
described in [RFC7951]. The Pledge SHOULD sign the request using Pledge SHOULD sign the request using the Section 2.3 credential.
the Section 2.3 credential.
application/json The request is the "YANG-defined JSON document" as application/json The request is the "YANG-defined JSON document" as
described in Section 3 with exception that it is not within a described in Section 3 with exception that it is not within a
PKCS#7 structure. It is protected only by the TLS client PKCS#7 structure. It is protected only by the TLS client
authentication. This reduces the cryptographic requirements on authentication. This reduces the cryptographic requirements on
the Pledge. the Pledge.
For simplicity the term 'voucher-request' is used to refer to either For simplicity the term 'voucher-request' is used to refer to either
of these media types. Registrar impementations SHOULD anticipate of these media types. Registrar impementations SHOULD anticipate
future media types but of course will simply fail the request if future media types but of course will simply fail the request if
skipping to change at page 32, line 31 skipping to change at page 33, line 42
is defined as an optional EST message between a Registrar and an EST is defined as an optional EST message between a Registrar and an EST
server running on the MASA service although the Registrar is not server running on the MASA service although the Registrar is not
required to make use of any other EST functionality when required to make use of any other EST functionality when
communicating with the MASA service. (The MASA service MUST properly communicating with the MASA service. (The MASA service MUST properly
reject any EST functionality requests it does not wish to service; a reject any EST functionality requests it does not wish to service; a
requirement that holds for any REST interface). requirement that holds for any REST interface).
This is done with an HTTP POST using the operation path value of This is done with an HTTP POST using the operation path value of
"/.well-known/est/requestvoucher". "/.well-known/est/requestvoucher".
The request media type is: The request media type is defined in [I-D.ietf-anima-voucher] and is
application/voucher-cms+json. It is a JSON document that has been
application/pkcs7-mime; smime-type=voucher-request The voucher- signed using a CMS structure. The Registrar MUST sign the Registrar
request is a "YANG-defined JSON document that has been signed voucher-request. The entire Registrar certificate chain, up to and
using a PKCS#7 structure" as described in [I-D.ietf-anima-voucher] including the Domain CA, MUST be included in the PKCS#7 structure.
using the JSON encoding described in [RFC7951]. The Registrar
MUST sign the Registrar voucher-request. The entire Registrar
certificate chain, up to and including the Domain CA, MUST be
included in the PKCS#7 structure.
MASA impementations SHOULD anticipate future media types but of MASA impementations SHOULD anticipate future media types but of
course will simply fail the request if those types are not yet known. course will simply fail the request if those types are not yet known.
The Registrar populates the voucher-request fields as follows: The Registrar populates the voucher-request fields as follows:
created-on: Registrars are RECOMMENDED to populate this field. This created-on: Registrars are RECOMMENDED to populate this field. This
provides additional information to the MASA. provides additional information to the MASA.
nonce: The optional nonce value from the Pledge request if desired nonce: The optional nonce value from the Pledge request if desired
skipping to change at page 38, line 48 skipping to change at page 40, line 7
https://example.com/auditlog/1234 or the EUI of the device such https://example.com/auditlog/1234 or the EUI of the device such
https://example.com/auditlog/10-00-00-11-22-33, would be easily https://example.com/auditlog/10-00-00-11-22-33, would be easily
enumerable by an attacker. It is recommended put to put some enumerable by an attacker. It is recommended put to put some
meaningless randomly generated slug that indexes a database instead. meaningless randomly generated slug that indexes a database instead.
A MASA that returns a code 200 MAY also include a Location: header A MASA that returns a code 200 MAY also include a Location: header
for future reference by the Registrar. for future reference by the Registrar.
The request media type is: The request media type is:
application/pkcs7-mime; smime-type=voucher-request The request is a application/voucher-cms+json The request is a "YANG-defined JSON
"YANG-defined JSON document that has been signed using a PKCS#7 document that has been signed using a CMS structure" as described
structure" as described in Section 3 using the JSON encoded in Section 3 using the JSON encoded described in [RFC7951]. The
described in [RFC7951]. The Registrar MUST sign the request. The Registrar MUST sign the request. The entire Registrar certificate
entire Registrar certificate chain, up to and including the Domain chain, up to and including the Domain CA, MUST be included in the
CA, MUST be included in the PKCS#7 structure. CMS structure.
5.7.1. MASA authorization log Response 5.7.1. MASA authorization log Response
A log data file is returned consisting of all log entries. For A log data file is returned consisting of all log entries. For
example: example:
{ {
"version":"1", "version":"1",
"events":[ "events":[
{ {
"date":"<date/time of the entry>", "date":"<date/time of the entry>",
"domainID":"<domainID extracted from voucher-request>", "domainID":"<domainID extracted from voucher-request>",
"nonce":"<any nonce if supplied (or the exact string 'NULL')>" "nonce":"<any nonce if supplied (or the exact string 'NULL')>"
}, },
{ {
"date":"<date/time of the entry>", "date":"<date/time of the entry>",
"domainID":"<domainID extracted from voucher-request>", "domainID":"<domainID extracted from voucher-request>",
"nonce":"<any nonce if supplied (or the exact string 'NULL')>" "nonce":"<any nonce if supplied (or the exact string 'NULL')>"
} }
] ],
"truncation": {
"nonced duplicates": <number of entries truncated>,
"nonceless duplicates": <number of entries truncated>,
"arbitrary": <number of entries trucated>
}
} }
Distribution of a large log is less than ideal. This structure can
be optimized as follows: All nonceless entries for the same domainID
MAY be condensed into the single most recent nonceless entry.
A Registrar SHOULD use this log information to make an informed A Registrar SHOULD use this log information to make an informed
decision regarding the continued bootstrapping of the Pledge. For decision regarding the continued bootstrapping of the Pledge. For
example if the log includes an unexpected domainID then the Pledge example if the log includes an unexpected domainID then the Pledge
could have imprinted on an unexpected domain. If the log includes could have imprinted on an unexpected domain. If the log includes
nonceless entries then any registrar in the same domain could nonceless entries then any registrar in the same domain could
theoretically trigger a reset of the device and take over management theoretically trigger a reset of the device and take over management
of the Pledge. Equipment that is purchased pre-owned can be expected of the Pledge. Equipment that is purchased pre-owned can be expected
to have an extensive history. A Registrar MAY request logs at future to have an extensive history. A Registrar MAY request logs at future
times. A Registrar MAY be configured to ignore the history of the times. A Registrar MAY be configured to ignore the history of the
device but it is RECOMMENDED that this only be configured if hardware device but it is RECOMMENDED that this only be configured if hardware
assisted NEA [RFC5209] is supported. assisted NEA [RFC5209] is supported.
Log entries can be compared against local history logs in search of Log entries can be compared against local history logs in search of
discrepancies. discrepancies.
Distribution of a large log is less than ideal. This structure can
be optimized as follows: Nonced or Nonceless entries for the same
domainID MAY be truncated from the log leaving only the single most
recent nonced or nonceless entry. The log SHOULD NOT be further
reduced but there could exist operational situation where maintaining
the full log is not possible. In such situations the log MAY be
arbitrarily truncated for length. The trunctation method(s) used
MUST be indicated in the JSON truncation dictionary using "nonced
duplicates", "nonceless duplicates", and "arbitrary" where the number
of entries that have been truncation is indicated. If the truncation
count exceeds 1024 then the MASA MAY use this value without further
incrementing it.
A log where duplicate entries for the same domain have been truncated
("nonced duplicates" and/or "nonceless duplicates) could still be
acceptable for informed decisions. A log that has had "arbitrary"
truncations is less acceptable but vendor transparency is better than
hidden truncations.
This document specifies a simple log format as provided by the MASA This document specifies a simple log format as provided by the MASA
service to the registar. This format could be improved by service to the registar. This format could be improved by
distributed consensus technologies that integrate vouchers with a distributed consensus technologies that integrate vouchers with a
technologies such as block-chain or hash trees or the like. Doing so technologies such as block-chain or hash trees or optimized logging
is out of the scope of this document but are anticipated improvements approaches. Doing so is out of the scope of this document but are
for future work. As such, the Registrar client SHOULD anticipate new anticipated improvements for future work. As such, the Registrar
kinds of responses, and SHOULD provide operator controls to indicate client SHOULD anticipate new kinds of responses, and SHOULD provide
how to process unknown responses. operator controls to indicate how to process unknown responses.
5.8. EST Integration for PKI bootstrapping 5.8. EST Integration for PKI bootstrapping
The Pledge SHOULD follow the BRSKI operations with EST enrollment The Pledge SHOULD follow the BRSKI operations with EST enrollment
operations including "CA Certificates Request", "CSR Attributes" and operations including "CA Certificates Request", "CSR Attributes" and
"Client Certificate Request" or "Server-Side Key Generation" etc. "Client Certificate Request" or "Server-Side Key Generation" etc.
This is a relatively seamless integration since BRSKI REST calls This is a relatively seamless integration since BRSKI REST calls
provide an automated alternative to the manual bootstrapping method provide an automated alternative to the manual bootstrapping method
described in [RFC7030]. As noted above, use of HTTP 1.1 persistent described in [RFC7030]. As noted above, use of HTTP 1.1 persistent
connections simplifies the Pledge state machine. connections simplifies the Pledge state machine.
skipping to change at page 46, line 26 skipping to change at page 48, line 7
information as a defense in depth strategy to ensure that this information as a defense in depth strategy to ensure that this
does not occur unexpectedly (for example when purchasing new does not occur unexpectedly (for example when purchasing new
equipment the Registrar would throw an error if any audit log equipment the Registrar would throw an error if any audit log
information is reported). The MASA should verify the 'prior- information is reported). The MASA should verify the 'prior-
signed-voucher' information for Pledge's that support that signed-voucher' information for Pledge's that support that
functionality. This provides a proof-of-proximity check that functionality. This provides a proof-of-proximity check that
reduces the need for ownership verification. reduces the need for ownership verification.
7. IANA Considerations 7. IANA Considerations
This document requests the following Parameter Values for the "smime- This document requires the following IANA actions:
type" Parameters:
o voucher-request
o voucher
7.1. PKIX Registry 7.1. PKIX Registry
IANA is requested to register the following: IANA is requested to register the following:
This document requests a number for id-mod-MASAURLExtn2016(TBD) from This document requests a number for id-mod-MASAURLExtn2016(TBD) from
the pkix(7) id-mod(0) Registry. [[EDNOTE: fix names]] the pkix(7) id-mod(0) Registry. [[EDNOTE: fix names]]
This document requests a number from the id-pe registry for id-pe- This document requests a number from the id-pe registry for id-pe-
masa-url. XXX masa-url. XXX
skipping to change at page 50, line 23 skipping to change at page 51, line 43
We would like to thank the various reviewers for their input, in We would like to thank the various reviewers for their input, in
particular Brian Carpenter, Toerless Eckert, Fuyu Eleven, Eliot Lear, particular Brian Carpenter, Toerless Eckert, Fuyu Eleven, Eliot Lear,
Sergey Kasatkin, Markus Stenberg, and Peter van der Stok Sergey Kasatkin, Markus Stenberg, and Peter van der Stok
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-anima-autonomic-control-plane] [I-D.ietf-anima-autonomic-control-plane]
Behringer, M., Eckert, T., and S. Bjarnason, "An Autonomic Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic
Control Plane (ACP)", draft-ietf-anima-autonomic-control- Control Plane (ACP)", draft-ietf-anima-autonomic-control-
plane-12 (work in progress), October 2017. plane-13 (work in progress), December 2017.
[I-D.ietf-anima-grasp] [I-D.ietf-anima-grasp]
Bormann, C., Carpenter, B., and B. Liu, "A Generic Bormann, C., Carpenter, B., and B. Liu, "A Generic
Autonomic Signaling Protocol (GRASP)", draft-ietf-anima- Autonomic Signaling Protocol (GRASP)", draft-ietf-anima-
grasp-15 (work in progress), July 2017. grasp-15 (work in progress), July 2017.
[I-D.ietf-anima-voucher] [I-D.ietf-anima-voucher]
Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, Watsen, K., Richardson, M., Pritikin, M., and T. Eckert,
"Voucher Profile for Bootstrapping Protocols", draft-ietf- "Voucher Profile for Bootstrapping Protocols", draft-ietf-
anima-voucher-06 (work in progress), October 2017. anima-voucher-07 (work in progress), January 2018.
[IDevID] IEEE Standard, "IEEE 802.1AR Secure Device Identifier", [IDevID] IEEE Standard, "IEEE 802.1AR Secure Device Identifier",
December 2009, <http://standards.ieee.org/findstds/ December 2009, <http://standards.ieee.org/findstds/
standard/802.1AR-2009.html>. standard/802.1AR-2009.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 52, line 47 skipping to change at page 54, line 21
2014. 2014.
[I-D.ietf-netconf-zerotouch] [I-D.ietf-netconf-zerotouch]
Watsen, K., Abrahamsson, M., and I. Farrer, "Zero Touch Watsen, K., Abrahamsson, M., and I. Farrer, "Zero Touch
Provisioning for NETCONF or RESTCONF based Management", Provisioning for NETCONF or RESTCONF based Management",
draft-ietf-netconf-zerotouch-19 (work in progress), draft-ietf-netconf-zerotouch-19 (work in progress),
October 2017. October 2017.
[I-D.ietf-opsawg-mud] [I-D.ietf-opsawg-mud]
Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", draft-ietf-opsawg-mud-13 (work Description Specification", draft-ietf-opsawg-mud-15 (work
in progress), October 2017. in progress), January 2018.
[I-D.richardson-anima-state-for-joinrouter] [I-D.richardson-anima-state-for-joinrouter]
Richardson, M., "Considerations for stateful vs stateless Richardson, M., "Considerations for stateful vs stateless
join router in ANIMA bootstrap", draft-richardson-anima- join router in ANIMA bootstrap", draft-richardson-anima-
state-for-joinrouter-01 (work in progress), July 2016. state-for-joinrouter-02 (work in progress), January 2018.
[I-D.vanderstok-ace-coap-est] [I-D.vanderstok-ace-coap-est]
Kumar, S., Stok, P., Kampanakis, P., Furuhed, M., and S. Stok, P., Kampanakis, P., Kumar, S., Richardson, M.,
Raza, "EST over secure CoAP (EST-coaps)", draft- Furuhed, M., and S. Raza, "EST over secure CoAP (EST-
vanderstok-ace-coap-est-02 (work in progress), June 2017. coaps)", draft-vanderstok-ace-coap-est-04 (work in
progress), January 2018.
[imprinting] [imprinting]
Wikipedia, "Wikipedia article: Imprinting", July 2015, Wikipedia, "Wikipedia article: Imprinting", July 2015,
<https://en.wikipedia.org/wiki/Imprinting_(psychology)>. <https://en.wikipedia.org/wiki/Imprinting_(psychology)>.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473,
December 1998, <https://www.rfc-editor.org/info/rfc2473>. December 1998, <https://www.rfc-editor.org/info/rfc2473>.
[RFC7217] Gont, F., "A Method for Generating Semantically Opaque [RFC7217] Gont, F., "A Method for Generating Semantically Opaque
skipping to change at page 61, line 12 skipping to change at page 63, line 12
c3o= c3o=
-----END CERTIFICATE----- -----END CERTIFICATE-----
The registrar public certificate as decoded by openssl's x509 The registrar public certificate as decoded by openssl's x509
utility. Note that the registrar certificate is marked with the utility. Note that the registrar certificate is marked with the
cmcRA extension. cmcRA extension.
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 3 (0x3) Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA384 Signature Algorithm: ecdsa-with-SHA384
Issuer: DC=ca, DC=sandelman, CN=Unstrung Fountain CA Issuer: DC = ca, DC = sandelman, CN = Unstrung Fount
ain CA
Validity Validity
Not Before: Sep 5 01:12:45 2017 GMT Not Before: Sep 5 01:12:45 2017 GMT
Not After : Sep 5 01:12:45 2019 GMT Not After : Sep 5 01:12:45 2019 GMT
Subject: DC=ca, DC=sandelman, CN=localhost Subject: DC = ca, DC = sandelman, CN = localhost
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey Public Key Algorithm: id-ecPublicKey
EC Public Key: Public-Key: (256 bit)
pub: pub:
04:35:64:0e:cd:c3:4c:52:33:f4:36:bb:5f:7 04:35:64:0e:cd:c3:4c:52:33:f4:36:bb:5f:7
8:17: 8:17:
34:0c:92:d6:7d:e3:06:80:21:5d:22:fe:85:5 34:0c:92:d6:7d:e3:06:80:21:5d:22:fe:85:5
3:3e: 3:3e:
03:89:f3:35:ba:33:01:79:cf:e0:e9:6f:cf:e 03:89:f3:35:ba:33:01:79:cf:e0:e9:6f:cf:e
9:ba: 9:ba:
13:9b:24:c6:74:53:a1:ff:c1:f0:29:47:ab:2 13:9b:24:c6:74:53:a1:ff:c1:f0:29:47:ab:2
f:96: f:96:
e9:9d:e2:bc:b2 e9:9d:e2:bc:b2
ASN1 OID: prime256v1 ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions: X509v3 extensions:
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
Signature Algorithm: ecdsa-with-SHA384 Signature Algorithm: ecdsa-with-SHA384
30:66:02:31:00:b7:fe:24:d0:27:77:af:61:87:20:6d:78:5 30:66:02:31:00:b7:fe:24:d0:27:77:af:61:87:20:6d:78:
b: 5b:
9b:3a:e9:eb:8b:77:40:2e:aa:8c:87:98:da:39:03:c7:4e:b 9b:3a:e9:eb:8b:77:40:2e:aa:8c:87:98:da:39:03:c7:4e:
6: b6:
9e:e3:62:7d:52:ad:c9:a6:ab:6b:71:77:d0:02:24:29:21:0 9e:e3:62:7d:52:ad:c9:a6:ab:6b:71:77:d0:02:24:29:21:
2: 02:
31:00:e2:db:d7:9f:6d:32:db:76:d0:e4:de:d7:9c:63:fa:c 31:00:e2:db:d7:9f:6d:32:db:76:d0:e4:de:d7:9c:63:fa:
3: c3:
ed:5e:fb:5d:a2:7a:9d:80:a6:74:30:91:e7:84:eb:48:53:4 ed:5e:fb:5d:a2:7a:9d:80:a6:74:30:91:e7:84:eb:48:53:
b: 4b:
83:1b:ed:d6:5c:85:33:ed:1f:62:96:11:73:7a 83:1b:ed:d6:5c:85:33:ed:1f:62:96:11:73:7a
E.1.4. Pledge key pair E.1.4. Pledge key pair
The pledge has an IDevID key pair built in at manufacturing time: The pledge has an IDevID key pair built in at manufacturing time:
-----BEGIN EC PRIVATE KEY----- -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIL+ue8PQcN+M7LFBGPsompYwobI/rsoHnTb2a+0hO+8joAoGCCqGSM49 MHcCAQEEIL+ue8PQcN+M7LFBGPsompYwobI/rsoHnTb2a+0hO+8joAoGCCqGSM49
AwEHoUQDQgAEumBVaDlX87WyME8CJToyt9NWy6sYw0DTbjjJIn79pgr7ALa//Y8p AwEHoUQDQgAEumBVaDlX87WyME8CJToyt9NWy6sYw0DTbjjJIn79pgr7ALa//Y8p
r70WpK1SIaiUeeFw7e+lCzTp1Z+wJu14Bg== r70WpK1SIaiUeeFw7e+lCzTp1Z+wJu14Bg==
-----END EC PRIVATE KEY----- -----END EC PRIVATE KEY-----
skipping to change at page 63, line 9 skipping to change at page 64, line 45
The pledge public certificate as decoded by openssl's x509 utility so The pledge public certificate as decoded by openssl's x509 utility so
that the extensions can be seen. A second custom Extension is that the extensions can be seen. A second custom Extension is
included to provided to contain the EUI48/EUI64 that the pledge will included to provided to contain the EUI48/EUI64 that the pledge will
configure. configure.
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 12 (0xc) Serial Number: 12 (0xc)
Signature Algorithm: ecdsa-with-SHA256 Signature Algorithm: ecdsa-with-SHA256
Issuer: DC=ca, DC=sandelman, CN=Unstrung Highway CA Issuer: DC = ca, DC = sandelman, CN = Unstrung Highw
ay CA
Validity Validity
Not Before: Oct 12 13:52:52 2017 GMT Not Before: Oct 12 13:52:52 2017 GMT
Not After : Dec 31 00:00:00 2999 GMT Not After : Dec 31 00:00:00 2999 GMT
Subject: DC=ca, DC=sandelman, CN=00-D0-E5-F2-00-02 Subject: DC = ca, DC = sandelman, CN = 00-D0-E5-F2-0
0-02
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey Public Key Algorithm: id-ecPublicKey
EC Public Key: Public-Key: (256 bit)
pub: pub:
04:49:a7:98:b4:75:4d:5a:52:74:76:bb:cc:0 04:49:a7:98:b4:75:4d:5a:52:74:76:bb:cc:0
c:47: c:47:
08:24:36:ea:4d:6c:d3:3b:9b:59:f4:9a:3f:b 08:24:36:ea:4d:6c:d3:3b:9b:59:f4:9a:3f:b
4:28: 4:28:
96:63:70:f2:2a:20:3f:ad:ac:f8:d3:4a:86:e 96:63:70:f2:2a:20:3f:ad:ac:f8:d3:4a:86:e
d:b8: d:b8:
87:69:44:f7:c6:67:c8:54:fe:72:14:bd:ea:b 87:69:44:f7:c6:67:c8:54:fe:72:14:bd:ea:b
0:ca: 0:ca:
86:08:f0:13:db 86:08:f0:13:db
ASN1 OID: prime256v1 ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions: X509v3 extensions:
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
1D:31:16:61:B6:11:50:9B:3C:FA:13:B6:15:5F:39 1D:31:16:61:B6:11:50:9B:3C:FA:13:B6:15:5F:39
:0B:ED:76:43:2A :0B:ED:76:43:2A
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
othername:<unsupported> othername:<unsupported>
1.3.6.1.4.1.46930.2: 1.3.6.1.4.1.46930.2:
..https://highway.sandelman.ca ..https://highway.sandelman.ca
Signature Algorithm: ecdsa-with-SHA256 Signature Algorithm: ecdsa-with-SHA256
30:66:02:31:00:e1:27:53:7e:79:a9:d6:d5:4f:de:e6:aa:0 30:66:02:31:00:e1:27:53:7e:79:a9:d6:d5:4f:de:e6:aa:
c: 0c:
48:6b:d4:bd:61:d1:ee:e8:9c:f1:c2:5b:87:bb:d7:cb:9f:3 48:6b:d4:bd:61:d1:ee:e8:9c:f1:c2:5b:87:bb:d7:cb:9f:
4: 34:
9c:1b:3c:6e:93:67:eb:49:3f:f8:8c:ef:11:47:ad:33:32:0 9c:1b:3c:6e:93:67:eb:49:3f:f8:8c:ef:11:47:ad:33:32:
2: 02:
31:00:ab:d6:ec:6f:75:87:8a:ab:b9:9b:45:70:91:e1:90:8 31:00:ab:d6:ec:6f:75:87:8a:ab:b9:9b:45:70:91:e1:90:
9: 89:
b3:0e:bb:7c:9e:e3:c9:76:5b:09:44:a2:af:ed:f0:05:3d:b b3:0e:bb:7c:9e:e3:c9:76:5b:09:44:a2:af:ed:f0:05:3d:
e: be:
95:68:20:cc:f0:d1:81:80:79:00:16:fb:b0:0c 95:68:20:cc:f0:d1:81:80:79:00:16:fb:b0:0c
E.2. Example process E.2. Example process
RFC-EDITOR: these examples will need to be replaced with CMS versions RFC-EDITOR: these examples will need to be replaced with CMS versions
once IANA has assigned the eContentType in [I-D.ietf-anima-voucher]. once IANA has assigned the eContentType in [I-D.ietf-anima-voucher].
E.2.1. Pledge to Registrar E.2.1. Pledge to Registrar
As described in Section 5.2, the pledge will sign a pledge voucher- As described in Section 5.2, the pledge will sign a pledge voucher-
request containing the Registrar's public key in the proximity- request containing the Registrar's public key in the proximity-
skipping to change at page 65, line 51 skipping to change at page 67, line 5
CSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglg CSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglg
hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEYw DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEYw
RAIgYUy0NTdP+xTkm/Et69eI++S/2z3dQwPKOwdL0cDCSvACIAh3jJbybMnK RAIgYUy0NTdP+xTkm/Et69eI++S/2z3dQwPKOwdL0cDCSvACIAh3jJbybMnK
cf7DKKnsn2G/O06HeB/8imMI+hnA7CfN cf7DKKnsn2G/O06HeB/8imMI+hnA7CfN
file: examples/vr_00-D0-E5-F2-00-02.pkcs file: examples/vr_00-D0-E5-F2-00-02.pkcs
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
0:d=0 hl=4 l=1820 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signed
Data
15:d=1 hl=4 l=1805 cons: cont [ 0 ]
19:d=2 hl=4 l=1801 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=4 l= 782 cons: SEQUENCE
47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
58:d=4 hl=4 l= 767 cons: cont [ 0 ]
62:d=5 hl=4 l= 763 prim: OCTET STRING :{"ietf-vouch
er-request:voucher":{"assertion":"proximity","created-on":"2
017-09-01","serial-number":"00-D0-E5-F2-00-02","nonce":"Dss9
9sBr3pNMOACe-LYY7w","proximity-registrar-cert":"MIIBrjCCATOg
AwIBAgIBAzAKBggqhkjOPQQDAzBOMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAX
BgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHTAbBgNVBAMMFFVuc3RydW5nIEZv
dW50YWluIENBMB4XDTE3MDkwNTAxMTI0NVoXDTE5MDkwNTAxMTI0NVowQzES
MBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJc2FuZGVsbWFu
MRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AAQ1ZA7Nw0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6MwF5z+Dpb8/p
uhObJMZ0U6H/wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49
BAMDA2kAMGYCMQC3/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY2jkDx062nuNi
fVKtyaara3F30AIkKSECMQDi29efbTLbdtDk3tecY/rD7V77XaJ6nYCmdDCR
54TrSFNLgxvt1lyFM+0fYpYRc3o="}}
829:d=3 hl=4 l= 566 cons: cont [ 0 ]
833:d=4 hl=4 l= 562 cons: SEQUENCE
837:d=5 hl=4 l= 439 cons: SEQUENCE
841:d=6 hl=2 l= 3 cons: cont [ 0 ]
843:d=7 hl=2 l= 1 prim: INTEGER :02
846:d=6 hl=2 l= 1 prim: INTEGER :0C
849:d=6 hl=2 l= 10 cons: SEQUENCE
851:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
861:d=6 hl=2 l= 77 cons: SEQUENCE
863:d=7 hl=2 l= 18 cons: SET
865:d=8 hl=2 l= 16 cons: SEQUENCE
867:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
879:d=9 hl=2 l= 2 prim: IA5STRING :ca
883:d=7 hl=2 l= 25 cons: SET
885:d=8 hl=2 l= 23 cons: SEQUENCE
887:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
899:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
910:d=7 hl=2 l= 28 cons: SET
912:d=8 hl=2 l= 26 cons: SEQUENCE
914:d=9 hl=2 l= 3 prim: OBJECT :commonName
919:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Hig
hway CA
940:d=6 hl=2 l= 32 cons: SEQUENCE
942:d=7 hl=2 l= 13 prim: UTCTIME :171012135252
Z
957:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :299912310000
00Z
974:d=6 hl=2 l= 75 cons: SEQUENCE
976:d=7 hl=2 l= 18 cons: SET
978:d=8 hl=2 l= 16 cons: SEQUENCE
980:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
992:d=9 hl=2 l= 2 prim: IA5STRING :ca
996:d=7 hl=2 l= 25 cons: SET
998:d=8 hl=2 l= 23 cons: SEQUENCE
1000:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1012:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1023:d=7 hl=2 l= 26 cons: SET
1025:d=8 hl=2 l= 24 cons: SEQUENCE
1027:d=9 hl=2 l= 3 prim: OBJECT :commonName
1032:d=9 hl=2 l= 17 prim: UTF8STRING :00-D0-E5-F2-
00-02
1051:d=6 hl=2 l= 89 cons: SEQUENCE
1053:d=7 hl=2 l= 19 cons: SEQUENCE
1055:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicK
ey
1064:d=8 hl=2 l= 8 prim: OBJECT :prime256v1
1074:d=7 hl=2 l= 66 prim: BIT STRING
1142:d=6 hl=3 l= 135 cons: cont [ 3 ]
1145:d=7 hl=3 l= 132 cons: SEQUENCE
1148:d=8 hl=2 l= 29 cons: SEQUENCE
1150:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subje
ct Key Identifier
1155:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04
141D311661B611509B3CFA13B6155F390BED76432A
1179:d=8 hl=2 l= 9 cons: SEQUENCE
1181:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
1186:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:30
00
1190:d=8 hl=2 l= 43 cons: SEQUENCE
1192:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subje
ct Alternative Name
1197:d=9 hl=2 l= 36 prim: OCTET STRING [HEX DUMP]:30
22A02006092B0601040182EE5201A0130C1130302D44302D45352D46322D
30302D3032
1235:d=8 hl=2 l= 43 cons: SEQUENCE
1237:d=9 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.
46930.2
1248:d=9 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:0C
1C68747470733A2F2F686967687761792E73616E64656C6D616E2E6361
1280:d=5 hl=2 l= 10 cons: SEQUENCE
1282:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
1292:d=5 hl=2 l= 105 prim: BIT STRING
1399:d=3 hl=4 l= 421 cons: SET
1403:d=4 hl=4 l= 417 cons: SEQUENCE
1407:d=5 hl=2 l= 1 prim: INTEGER :01
1410:d=5 hl=2 l= 82 cons: SEQUENCE
1412:d=6 hl=2 l= 77 cons: SEQUENCE
1414:d=7 hl=2 l= 18 cons: SET
1416:d=8 hl=2 l= 16 cons: SEQUENCE
1418:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1430:d=9 hl=2 l= 2 prim: IA5STRING :ca
1434:d=7 hl=2 l= 25 cons: SET
1436:d=8 hl=2 l= 23 cons: SEQUENCE
1438:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1450:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1461:d=7 hl=2 l= 28 cons: SET
1463:d=8 hl=2 l= 26 cons: SEQUENCE
1465:d=9 hl=2 l= 3 prim: OBJECT :commonName
1470:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Hig
hway CA
1491:d=6 hl=2 l= 1 prim: INTEGER :0C
1494:d=5 hl=2 l= 13 cons: SEQUENCE
1496:d=6 hl=2 l= 9 prim: OBJECT :sha256
1507:d=6 hl=2 l= 0 prim: NULL
1509:d=5 hl=3 l= 228 cons: cont [ 0 ]
1512:d=6 hl=2 l= 24 cons: SEQUENCE
1514:d=7 hl=2 l= 9 prim: OBJECT :contentType
1525:d=7 hl=2 l= 11 cons: SET
1527:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
1538:d=6 hl=2 l= 28 cons: SEQUENCE
1540:d=7 hl=2 l= 9 prim: OBJECT :signingTime
1551:d=7 hl=2 l= 15 cons: SET
1553:d=8 hl=2 l= 13 prim: UTCTIME :171012175430
Z
1568:d=6 hl=2 l= 47 cons: SEQUENCE
1570:d=7 hl=2 l= 9 prim: OBJECT :messageDiges
t
1581:d=7 hl=2 l= 34 cons: SET
1583:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:FE
7D72E29500F90A38E95021A215FD6D40B1629B99598177DC054AE0F9C8B6
9F
1617:d=6 hl=2 l= 121 cons: SEQUENCE
1619:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capab
ilities
1630:d=7 hl=2 l= 108 cons: SET
1632:d=8 hl=2 l= 106 cons: SEQUENCE
1634:d=9 hl=2 l= 11 cons: SEQUENCE
1636:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc
1647:d=9 hl=2 l= 11 cons: SEQUENCE
1649:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc
1660:d=9 hl=2 l= 11 cons: SEQUENCE
1662:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc
1673:d=9 hl=2 l= 10 cons: SEQUENCE
1675:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
1685:d=9 hl=2 l= 14 cons: SEQUENCE
1687:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1697:d=10 hl=2 l= 2 prim: INTEGER :80
1701:d=9 hl=2 l= 13 cons: SEQUENCE
1703:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1713:d=10 hl=2 l= 1 prim: INTEGER :40
1716:d=9 hl=2 l= 7 cons: SEQUENCE
1718:d=10 hl=2 l= 5 prim: OBJECT :des-cbc
1725:d=9 hl=2 l= 13 cons: SEQUENCE
1727:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1737:d=10 hl=2 l= 1 prim: INTEGER :28
1740:d=5 hl=2 l= 10 cons: SEQUENCE
1742:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
1752:d=5 hl=2 l= 70 prim: OCTET STRING [HEX DUMP]:30
440220614CB435374FFB14E49BF12DEBD788FBE4BFDB3DDD4303CA3B074B
D1C0C24AF0022008778C96F26CC9CA71FEC328A9EC9F61BF3B4E87781FFC
8A6308FA19C0EC27CD
The JSON contained in the voucher request: The JSON contained in the voucher request:
{"ietf-voucher-request:voucher":{"assertion":"proximity","cr
eated-on":"2017-09-01","serial-number":"00-D0-E5-F2-00-02","
nonce":"Dss99sBr3pNMOACe-LYY7w","proximity-registrar-cert":"
MIIBrjCCATOgAwIBAgIBAzAKBggqhkjOPQQDAzBOMRIwEAYKCZImiZPyLGQB
GRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHTAbBgNVBAMMFFVu
c3RydW5nIEZvdW50YWluIENBMB4XDTE3MDkwNTAxMTI0NVoXDTE5MDkwNTAx
MTI0NVowQzESMBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJ
c2FuZGVsbWFuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQ1ZA7Nw0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6
MwF5z+Dpb8/puhObJMZ0U6H/wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAA
MAoGCCqGSM49BAMDA2kAMGYCMQC3/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY
2jkDx062nuNifVKtyaara3F30AIkKSECMQDi29efbTLbdtDk3tecY/rD7V77
XaJ6nYCmdDCR54TrSFNLgxvt1lyFM+0fYpYRc3o="}}
E.2.2. Registrar to MASA E.2.2. Registrar to MASA
As described in Section 5.4 the Registrar will sign a registrar As described in Section 5.4 the Registrar will sign a registrar
voucher-request, and will include pledge's voucher request in the voucher-request, and will include pledge's voucher request in the
prior-signed-voucher-request. prior-signed-voucher-request.
MIIN2gYJKoZIhvcNAQcCoIINyzCCDccCAQExDzANBglghkgBZQMEAgEFADCC MIIN2gYJKoZIhvcNAQcCoIINyzCCDccCAQExDzANBglghkgBZQMEAgEFADCC
Ck4GCSqGSIb3DQEHAaCCCj8Eggo7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2 Ck4GCSqGSIb3DQEHAaCCCj8Eggo7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2
b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i
OiIyMDE3LTA5LTE1VDAwOjAwOjAwLjAwMFoiLCJzZXJpYWwtbnVtYmVyIjoi OiIyMDE3LTA5LTE1VDAwOjAwOjAwLjAwMFoiLCJzZXJpYWwtbnVtYmVyIjoi
skipping to change at page 67, line 46 skipping to change at page 73, line 12
OsxlACaW/HenAqNwMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsG OsxlACaW/HenAqNwMHkGCSqGSIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsG
CWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN CWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MAoGCCqGSM49BAMCBEcwRQIgDdp5uPUlMKp7GFQAD7ypAgqFv8q+KkJt6c3O MAoGCCqGSM49BAMCBEcwRQIgDdp5uPUlMKp7GFQAD7ypAgqFv8q+KkJt6c3O
7iVpVI8CIQCD1u8BkxipvigwvIDmWfjlYdJxcvozNjffq5j3UHg7Rg== 7iVpVI8CIQCD1u8BkxipvigwvIDmWfjlYdJxcvozNjffq5j3UHg7Rg==
file: examples/parboiled_vr_00-D0-E5-F2-00-02.pkcs file: examples/parboiled_vr_00-D0-E5-F2-00-02.pkcs
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
0:d=0 hl=4 l=3546 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signed
Data
15:d=1 hl=4 l=3531 cons: cont [ 0 ]
19:d=2 hl=4 l=3527 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=4 l=2638 cons: SEQUENCE
47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
58:d=4 hl=4 l=2623 cons: cont [ 0 ]
62:d=5 hl=4 l=2619 prim: OCTET STRING :{"ietf-vouch
er-request:voucher":{"assertion":"proximity","created-on":"2
017-09-15T00:00:00.000Z","serial-number":"JADA123456789","no
nce":"abcd1234","prior-signed-voucher-request":"MIIHHQYJKoZI
hvcNAQcCoIIHDjCCBwoCAQExDzANBglghkgBZQMEAgEFADCCAw4GCSqGSIb3
DQEHAaCCAv8EggL7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2b3VjaGVyIjp7
ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24iOiIyMDE3LTA5
LTAxIiwic2VyaWFsLW51bWJlciI6IjAwLUQwLUU1LUYyLTAwLTAyIiwibm9u
Y2UiOiJEc3M5OXNCcjNwTk1PQUNlLUxZWTd3IiwicHJveGltaXR5LXJlZ2lz
dHJhci1jZXJ0IjoiTUlJQnJqQ0NBVE9nQXdJQkFnSUJBekFLQmdncWhrak9Q
UVFEQXpCT01SSXdFQVlLQ1pJbWlaUHlMR1FCR1JZQ1kyRXhHVEFYQmdvSmtp
YUprL0lzWkFFWkZnbHpZVzVrWld4dFlXNHhIVEFiQmdOVkJBTU1GRlZ1YzNS
eWRXNW5JRVp2ZFc1MFlXbHVJRU5CTUI0WERURTNNRGt3TlRBeE1USTBOVm9Y
RFRFNU1Ea3dOVEF4TVRJME5Wb3dRekVTTUJBR0NnbVNKb21UOGl4a0FSa1dB
bU5oTVJrd0Z3WUtDWkltaVpQeUxHUUJHUllKYzJGdVpHVnNiV0Z1TVJJd0VB
WURWUVFEREFsc2IyTmhiR2h2YzNRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtq
T1BRTUJCd05DQUFRMVpBN053MHhTTS9RMnUxOTRGelFNa3RaOTR3YUFJVjBp
L29WVFBnT0o4elc2TXdGNXorRHBiOC9wdWhPYkpNWjBVNkgvd2ZBcFI2c3Zs
dW1kNHJ5eW93MHdDekFKQmdOVkhSTUVBakFBTUFvR0NDcUdTTTQ5QkFNREEy
a0FNR1lDTVFDMy9pVFFKM2V2WVljZ2JYaGJtenJwNjR0M1FDNnFqSWVZMmpr
RHgwNjJudU5pZlZLdHlhYXJhM0YzMEFJa0tTRUNNUURpMjllZmJUTGJkdERr
M3RlY1kvckQ3Vjc3WGFKNm5ZQ21kRENSNTRUclNGTkxneHZ0MWx5Rk0rMGZZ
cFlSYzNvPSJ9faCCAjYwggIyMIIBt6ADAgECAgEMMAoGCCqGSM49BAMCME0x
EjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkWCXNhbmRlbG1h
bjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQTAgFw0xNzEwMTIxMzUy
NTJaGA8yOTk5MTIzMTAwMDAwMFowSzESMBAGCgmSJomT8ixkARkWAmNhMRkw
FwYKCZImiZPyLGQBGRYJc2FuZGVsbWFuMRowGAYDVQQDDBEwMC1EMC1FNS1G
Mi0wMC0wMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEmnmLR1TVpSdHa7
zAxHCCQ26k1s0zubWfSaP7QolmNw8iogP62s+NNKhu24h2lE98ZnyFT+chS9
6rDKhgjwE9ujgYcwgYQwHQYDVR0OBBYEFB0xFmG2EVCbPPoTthVfOQvtdkMq
MAkGA1UdEwQCMAAwKwYDVR0RBCQwIqAgBgkrBgEEAYLuUgGgEwwRMDAtRDAt
RTUtRjItMDAtMDIwKwYJKwYBBAGC7lICBB4MHGh0dHBzOi8vaGlnaHdheS5z
YW5kZWxtYW4uY2EwCgYIKoZIzj0EAwIDaQAwZgIxAOEnU355qdbVT97mqgxI
a9S9YdHu6JzxwluHu9fLnzScGzxuk2frST/4jO8RR60zMgIxAKvW7G91h4qr
uZtFcJHhkImzDrt8nuPJdlsJRKKv7fAFPb6VaCDM8NGBgHkAFvuwDDGCAaYw
ggGiAgEBMFIwTTESMBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQB
GRYJc2FuZGVsbWFuMRwwGgYDVQQDDBNVbnN0cnVuZyBIaWdod2F5IENBAgEM
MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MTAxMjEzNTgyM1owLwYJKoZIhvcNAQkEMSIE
IP59cuKVAPkKOOlQIaIV/W1AsWKbmVmBd9wFSuD5yLafMHkGCSqGSIb3DQEJ
DzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEcwRQIgEMg1dJL7
FcdtrVDx8qCazoe9+22Nz4ZwRB9gATGL7MMCIQDjssUlZzJqp2/kCd4WhxUh
saCpTFwPrnNew5wCkYUF8Q=="}}
2685:d=3 hl=4 l= 434 cons: cont [ 0 ]
2689:d=4 hl=4 l= 430 cons: SEQUENCE
2693:d=5 hl=4 l= 307 cons: SEQUENCE
2697:d=6 hl=2 l= 3 cons: cont [ 0 ]
2699:d=7 hl=2 l= 1 prim: INTEGER :02
2702:d=6 hl=2 l= 1 prim: INTEGER :03
2705:d=6 hl=2 l= 10 cons: SEQUENCE
2707:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA384
2717:d=6 hl=2 l= 78 cons: SEQUENCE
2719:d=7 hl=2 l= 18 cons: SET
2721:d=8 hl=2 l= 16 cons: SEQUENCE
2723:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
2735:d=9 hl=2 l= 2 prim: IA5STRING :ca
2739:d=7 hl=2 l= 25 cons: SET
2741:d=8 hl=2 l= 23 cons: SEQUENCE
2743:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
2755:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
2766:d=7 hl=2 l= 29 cons: SET
2768:d=8 hl=2 l= 27 cons: SEQUENCE
2770:d=9 hl=2 l= 3 prim: OBJECT :commonName
2775:d=9 hl=2 l= 20 prim: UTF8STRING :Unstrung Fou
ntain CA
2797:d=6 hl=2 l= 30 cons: SEQUENCE
2799:d=7 hl=2 l= 13 prim: UTCTIME :170905011245
Z
2814:d=7 hl=2 l= 13 prim: UTCTIME :190905011245
Z
2829:d=6 hl=2 l= 67 cons: SEQUENCE
2831:d=7 hl=2 l= 18 cons: SET
2833:d=8 hl=2 l= 16 cons: SEQUENCE
2835:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
2847:d=9 hl=2 l= 2 prim: IA5STRING :ca
2851:d=7 hl=2 l= 25 cons: SET
2853:d=8 hl=2 l= 23 cons: SEQUENCE
2855:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
2867:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
2878:d=7 hl=2 l= 18 cons: SET
2880:d=8 hl=2 l= 16 cons: SEQUENCE
2882:d=9 hl=2 l= 3 prim: OBJECT :commonName
2887:d=9 hl=2 l= 9 prim: UTF8STRING :localhost
2898:d=6 hl=2 l= 89 cons: SEQUENCE
2900:d=7 hl=2 l= 19 cons: SEQUENCE
2902:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicK
ey
2911:d=8 hl=2 l= 8 prim: OBJECT :prime256v1
2921:d=7 hl=2 l= 66 prim: BIT STRING
2989:d=6 hl=2 l= 13 cons: cont [ 3 ]
2991:d=7 hl=2 l= 11 cons: SEQUENCE
2993:d=8 hl=2 l= 9 cons: SEQUENCE
2995:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
3000:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:30
00
3004:d=5 hl=2 l= 10 cons: SEQUENCE
3006:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA384
3016:d=5 hl=2 l= 105 prim: BIT STRING
3123:d=3 hl=4 l= 423 cons: SET
3127:d=4 hl=4 l= 419 cons: SEQUENCE
3131:d=5 hl=2 l= 1 prim: INTEGER :01
3134:d=5 hl=2 l= 83 cons: SEQUENCE
3136:d=6 hl=2 l= 78 cons: SEQUENCE
3138:d=7 hl=2 l= 18 cons: SET
3140:d=8 hl=2 l= 16 cons: SEQUENCE
3142:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
3154:d=9 hl=2 l= 2 prim: IA5STRING :ca
3158:d=7 hl=2 l= 25 cons: SET
3160:d=8 hl=2 l= 23 cons: SEQUENCE
3162:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
3174:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
3185:d=7 hl=2 l= 29 cons: SET
3187:d=8 hl=2 l= 27 cons: SEQUENCE
3189:d=9 hl=2 l= 3 prim: OBJECT :commonName
3194:d=9 hl=2 l= 20 prim: UTF8STRING :Unstrung Fou
ntain CA
3216:d=6 hl=2 l= 1 prim: INTEGER :03
3219:d=5 hl=2 l= 13 cons: SEQUENCE
3221:d=6 hl=2 l= 9 prim: OBJECT :sha256
3232:d=6 hl=2 l= 0 prim: NULL
3234:d=5 hl=3 l= 228 cons: cont [ 0 ]
3237:d=6 hl=2 l= 24 cons: SEQUENCE
3239:d=7 hl=2 l= 9 prim: OBJECT :contentType
3250:d=7 hl=2 l= 11 cons: SET
3252:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
3263:d=6 hl=2 l= 28 cons: SEQUENCE
3265:d=7 hl=2 l= 9 prim: OBJECT :signingTime
3276:d=7 hl=2 l= 15 cons: SET
3278:d=8 hl=2 l= 13 prim: UTCTIME :171026013618
Z
3293:d=6 hl=2 l= 47 cons: SEQUENCE
3295:d=7 hl=2 l= 9 prim: OBJECT :messageDiges
t
3306:d=7 hl=2 l= 34 cons: SET
3308:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:44
0133BDCF6733E8EED13D323F2042F69A61E3103ACC65002696FC77A702A3
70
3342:d=6 hl=2 l= 121 cons: SEQUENCE
3344:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capab
ilities
3355:d=7 hl=2 l= 108 cons: SET
3357:d=8 hl=2 l= 106 cons: SEQUENCE
3359:d=9 hl=2 l= 11 cons: SEQUENCE
3361:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc
3372:d=9 hl=2 l= 11 cons: SEQUENCE
3374:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc
3385:d=9 hl=2 l= 11 cons: SEQUENCE
3387:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc
3398:d=9 hl=2 l= 10 cons: SEQUENCE
3400:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
3410:d=9 hl=2 l= 14 cons: SEQUENCE
3412:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
3422:d=10 hl=2 l= 2 prim: INTEGER :80
3426:d=9 hl=2 l= 13 cons: SEQUENCE
3428:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
3438:d=10 hl=2 l= 1 prim: INTEGER :40
3441:d=9 hl=2 l= 7 cons: SEQUENCE
3443:d=10 hl=2 l= 5 prim: OBJECT :des-cbc
3450:d=9 hl=2 l= 13 cons: SEQUENCE
3452:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
3462:d=10 hl=2 l= 1 prim: INTEGER :28
3465:d=5 hl=2 l= 10 cons: SEQUENCE
3467:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
3477:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30
4502200DDA79B8F52530AA7B1854000FBCA9020A85BFCABE2A426DE9CDCE
EE2569548F02210083D6EF019318A9BE2830BC80E659F8E561D27172FA33
3637DFAB98F750783B46
E.2.3. MASA to Registrar E.2.3. MASA to Registrar
The MASA will return a voucher to the Registrar, to be relayed to the The MASA will return a voucher to the Registrar, to be relayed to the
pledge. pledge.
MIIG3AYJKoZIhvcNAQcCoIIGzTCCBskCAQExDzANBglghkgBZQMEAgEFADCC MIIG3AYJKoZIhvcNAQcCoIIGzTCCBskCAQExDzANBglghkgBZQMEAgEFADCC
AxAGCSqGSIb3DQEHAaCCAwEEggL9eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6 AxAGCSqGSIb3DQEHAaCCAwEEggL9eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6
eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJjcmVhdGVkLW9uIjoiMjAxNy0xMC0x eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJjcmVhdGVkLW9uIjoiMjAxNy0xMC0x
MlQxMzo1NDozMS40MzktMDQ6MDAiLCJzZXJpYWwtbnVtYmVyIjoiMDAtRDAt MlQxMzo1NDozMS40MzktMDQ6MDAiLCJzZXJpYWwtbnVtYmVyIjoiMDAtRDAt
RTUtRjItMDAtMDIiLCJub25jZSI6IkRzczk5c0JyM3BOTU9BQ2UtTFlZN3ci RTUtRjItMDAtMDIiLCJub25jZSI6IkRzczk5c0JyM3BOTU9BQ2UtTFlZN3ci
skipping to change at page 69, line 5 skipping to change at page 78, line 50
AjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw AjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwCgYIKoZIzj0EAwIEZzBlAjEAhzid BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwCgYIKoZIzj0EAwIEZzBlAjEAhzid
/AkNjttpSP1rflNppdHsi324Z2+TXJxueewnJ8z/2NXb+Tf3DsThv7du00Oz /AkNjttpSP1rflNppdHsi324Z2+TXJxueewnJ8z/2NXb+Tf3DsThv7du00Oz
AjBjyOnmkkSKHsPR2JluA5c6wovuPEnNKP32daGGeFKGEHMkTInbrqipC881 AjBjyOnmkkSKHsPR2JluA5c6wovuPEnNKP32daGGeFKGEHMkTInbrqipC881
/5K9Q+k= /5K9Q+k=
file: examples/voucher_00-D0-E5-F2-00-02.pkcs file: examples/voucher_00-D0-E5-F2-00-02.pkcs
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
0:d=0 hl=4 l=1756 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signed
Data
15:d=1 hl=4 l=1741 cons: cont [ 0 ]
19:d=2 hl=4 l=1737 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=4 l= 784 cons: SEQUENCE
47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
58:d=4 hl=4 l= 769 cons: cont [ 0 ]
62:d=5 hl=4 l= 765 prim: OCTET STRING :{"ietf-vouch
er:voucher":{"assertion":"logged","created-on":"2017-10-12T1
3:54:31.439-04:00","serial-number":"00-D0-E5-F2-00-02","nonc
e":"Dss99sBr3pNMOACe-LYY7w","pinned-domain-cert":"MIIBrjCCAT
OgAwIBAgIBAzAKBggqhkjOPQQDAzBOMRIwEAYKCZImiZPyLGQBGRYCY2ExGT
AXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHTAbBgNVBAMMFFVuc3RydW5nIE
ZvdW50YWluIENBMB4XDTE3MDkwNTAxMTI0NVoXDTE5MDkwNTAxMTI0NVowQz
ESMBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJc2FuZGVsbW
FuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBw
NCAAQ1ZA7Nw0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6MwF5z+Dpb8
/puhObJMZ0U6H/wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM
49BAMDA2kAMGYCMQC3/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY2jkDx062nu
NifVKtyaara3F30AIkKSECMQDi29efbTLbdtDk3tecY/rD7V77XaJ6nYCmdD
CR54TrSFNLgxvt1lyFM+0fYpYRc3o="}}
831:d=3 hl=4 l= 467 cons: cont [ 0 ]
835:d=4 hl=4 l= 463 cons: SEQUENCE
839:d=5 hl=4 l= 342 cons: SEQUENCE
843:d=6 hl=2 l= 3 cons: cont [ 0 ]
845:d=7 hl=2 l= 1 prim: INTEGER :02
848:d=6 hl=2 l= 1 prim: INTEGER :01
851:d=6 hl=2 l= 10 cons: SEQUENCE
853:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
863:d=6 hl=2 l= 77 cons: SEQUENCE
865:d=7 hl=2 l= 18 cons: SET
867:d=8 hl=2 l= 16 cons: SEQUENCE
869:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
881:d=9 hl=2 l= 2 prim: IA5STRING :ca
885:d=7 hl=2 l= 25 cons: SET
887:d=8 hl=2 l= 23 cons: SEQUENCE
889:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
901:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
912:d=7 hl=2 l= 28 cons: SET
914:d=8 hl=2 l= 26 cons: SEQUENCE
916:d=9 hl=2 l= 3 prim: OBJECT :commonName
921:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Hig
hway CA
942:d=6 hl=2 l= 30 cons: SEQUENCE
944:d=7 hl=2 l= 13 prim: UTCTIME :170326161940
Z
959:d=7 hl=2 l= 13 prim: UTCTIME :190326161940
Z
974:d=6 hl=2 l= 71 cons: SEQUENCE
976:d=7 hl=2 l= 18 cons: SET
978:d=8 hl=2 l= 16 cons: SEQUENCE
980:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
992:d=9 hl=2 l= 2 prim: IA5STRING :ca
996:d=7 hl=2 l= 25 cons: SET
998:d=8 hl=2 l= 23 cons: SEQUENCE
1000:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1012:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1023:d=7 hl=2 l= 22 cons: SET
1025:d=8 hl=2 l= 20 cons: SEQUENCE
1027:d=9 hl=2 l= 3 prim: OBJECT :commonName
1032:d=9 hl=2 l= 13 prim: UTF8STRING :Unstrung MAS
A
1047:d=6 hl=2 l= 118 cons: SEQUENCE
1049:d=7 hl=2 l= 16 cons: SEQUENCE
1051:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicK
ey
1060:d=8 hl=2 l= 5 prim: OBJECT :secp384r1
1067:d=7 hl=2 l= 98 prim: BIT STRING
1167:d=6 hl=2 l= 16 cons: cont [ 3 ]
1169:d=7 hl=2 l= 14 cons: SEQUENCE
1171:d=8 hl=2 l= 12 cons: SEQUENCE
1173:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
1178:d=9 hl=2 l= 1 prim: BOOLEAN :255
1181:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:30
00
1185:d=5 hl=2 l= 10 cons: SEQUENCE
1187:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
1197:d=5 hl=2 l= 103 prim: BIT STRING
1302:d=3 hl=4 l= 454 cons: SET
1306:d=4 hl=4 l= 450 cons: SEQUENCE
1310:d=5 hl=2 l= 1 prim: INTEGER :01
1313:d=5 hl=2 l= 82 cons: SEQUENCE
1315:d=6 hl=2 l= 77 cons: SEQUENCE
1317:d=7 hl=2 l= 18 cons: SET
1319:d=8 hl=2 l= 16 cons: SEQUENCE
1321:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1333:d=9 hl=2 l= 2 prim: IA5STRING :ca
1337:d=7 hl=2 l= 25 cons: SET
1339:d=8 hl=2 l= 23 cons: SEQUENCE
1341:d=9 hl=2 l= 10 prim: OBJECT :domainCompon
ent
1353:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1364:d=7 hl=2 l= 28 cons: SET
1366:d=8 hl=2 l= 26 cons: SEQUENCE
1368:d=9 hl=2 l= 3 prim: OBJECT :commonName
1373:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Hig
hway CA
1394:d=6 hl=2 l= 1 prim: INTEGER :01
1397:d=5 hl=2 l= 13 cons: SEQUENCE
1399:d=6 hl=2 l= 9 prim: OBJECT :sha256
1410:d=6 hl=2 l= 0 prim: NULL
1412:d=5 hl=3 l= 228 cons: cont [ 0 ]
1415:d=6 hl=2 l= 24 cons: SEQUENCE
1417:d=7 hl=2 l= 9 prim: OBJECT :contentType
1428:d=7 hl=2 l= 11 cons: SET
1430:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
1441:d=6 hl=2 l= 28 cons: SEQUENCE
1443:d=7 hl=2 l= 9 prim: OBJECT :signingTime
1454:d=7 hl=2 l= 15 cons: SET
1456:d=8 hl=2 l= 13 prim: UTCTIME :171012175431
Z
1471:d=6 hl=2 l= 47 cons: SEQUENCE
1473:d=7 hl=2 l= 9 prim: OBJECT :messageDiges
t
1484:d=7 hl=2 l= 34 cons: SET
1486:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:41
79C6EB6F1C216F0CA187C1D658C30E52E5250971103DAD9E372F90B11F8B
1D
1520:d=6 hl=2 l= 121 cons: SEQUENCE
1522:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capab
ilities
1533:d=7 hl=2 l= 108 cons: SET
1535:d=8 hl=2 l= 106 cons: SEQUENCE
1537:d=9 hl=2 l= 11 cons: SEQUENCE
1539:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc
1550:d=9 hl=2 l= 11 cons: SEQUENCE
1552:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc
1563:d=9 hl=2 l= 11 cons: SEQUENCE
1565:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc
1576:d=9 hl=2 l= 10 cons: SEQUENCE
1578:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
1588:d=9 hl=2 l= 14 cons: SEQUENCE
1590:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1600:d=10 hl=2 l= 2 prim: INTEGER :80
1604:d=9 hl=2 l= 13 cons: SEQUENCE
1606:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1616:d=10 hl=2 l= 1 prim: INTEGER :40
1619:d=9 hl=2 l= 7 cons: SEQUENCE
1621:d=10 hl=2 l= 5 prim: OBJECT :des-cbc
1628:d=9 hl=2 l= 13 cons: SEQUENCE
1630:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
1640:d=10 hl=2 l= 1 prim: INTEGER :28
1643:d=5 hl=2 l= 10 cons: SEQUENCE
1645:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256
1655:d=5 hl=2 l= 103 prim: OCTET STRING [HEX DUMP]:30
6502310087389DFC090D8EDB6948FD6B7E5369A5D1EC8B7DB8676F935C9C
6E79EC2727CCFFD8D5DBF937F70EC4E1BFB76ED343B3023063C8E9E69244
8A1EC3D1D8996E03973AC28BEE3C49CD28FDF675A1867852861073244C89
DBAEA8A90BCF35FF92BD43E9
Authors' Addresses Authors' Addresses
Max Pritikin Max Pritikin
Cisco Cisco
Email: pritikin@cisco.com Email: pritikin@cisco.com
Michael C. Richardson Michael C. Richardson
Sandelman Software Works Sandelman Software Works
Email: mcr+ietf@sandelman.ca Email: mcr+ietf@sandelman.ca
URI: http://www.sandelman.ca/ URI: http://www.sandelman.ca/
Michael H. Behringer Michael H. Behringer
Cisco
Email: mbehring@cisco.com Email: Michael.H.Behring@gmail.com
Steinthor Bjarnason Steinthor Bjarnason
Arbor Networks Arbor Networks
Email: sbjarnason@arbor.net Email: sbjarnason@arbor.net
Kent Watsen Kent Watsen
Juniper Networks Juniper Networks
Email: kwatsen@juniper.net Email: kwatsen@juniper.net
 End of changes. 48 change blocks. 
167 lines changed or deleted 764 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/