ietf-eat-profile: allow kid as alternative to x5chain for space-const…#97
ietf-eat-profile: allow kid as alternative to x5chain for space-const…#97fdamato wants to merge 1 commit into
Conversation
…rained attesters Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>
| alternative to **x5chain** when attester space constraints prevent inclusion | ||
| of the full certificate chain. | ||
|
|
||
| Both **x5chain** and **kid** **SHALL NOT** appear simultaneously in the same |
There was a problem hiding this comment.
Any reason we need to be normative here?
There was a problem hiding this comment.
no probably not, but I would still prefer to use a single way to identify the key...perhaps we can change with "SHOULD"
|
This is effectively a new profile or version of the profile. |
I assumed that this would be only applicable to the ML-DSA version, which already required a new profile. |
IMO we should try and have the new guidance be algorithm-agnostic; that being said, we could have the new profile version include both this and PQC. |
I agree. We can perhaps allocate a new OID for a new profile that covers both ECDSA and MLDSA. The proposed change of this PR will only affect the new OID. Also I would suggest to register in CWT a "profile_version" claim. This way, if in future, we want to make other "small" adjustments. Those could be contained in the scope of the same OID, by revving up the profile_version number. @bluegate010 / @steven-bellock are you ok with this ? |
4 participants
…rained attesters