Please see comments inline.
Regards,
Dale Gustafson
Stephen Farrell wrote:
> The credential format, the download and upload protocols, and the credentialThat's likely to be self-evident when the details of what must be done to download and install credentials in a secure fashion are clear. Not obvious, right now, I agree.
> storage device’s unique capabilities may be highly interrelated in some cases.
> Shouldn't we say something about that in this section ?Agreed. But before we know what to say, we first need to figure out
if we've consensus that credentials are regarded (by the protocol) as
octet strings or whether the credential structure is "exposed" in the
protocol. *If* we can keep knowledge of the credential structure in
the client, then I don't think we need to bother with it in the
protocol or credential server. Personally, I'm not sure.
My first thought is that, in some cases, the server may have to do something special based on being informed of device specifics by the client.
> > 5. Security ConsiderationsInteresting. I thought the above is what most PKIX documents have done for section 5.
>
> This entire document is about security.Hmm. Doesn't that generate general scoffing at the SAAG every now
and then? Some of the more interesting text I've seen in these
recently has been about d-o-s attacks, which tends not to fit
elsewhere.
In this context, d-o-s applies to the credential server requirements list, right?
Stephen.--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane, fax: +353 1 647 7499
Dublin 2. mailto:stephen.farrell@xxxxxxxxxxxx
Ireland http://www.baltimore.com