draft-ietf-anima-bootstrapping-keyinfra-41.txt   draft-ietf-anima-bootstrapping-keyinfra-42.txt 
ANIMA WG M. Pritikin ANIMA WG M. Pritikin
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track M. Richardson Intended status: Standards Track M. Richardson
Expires: 10 October 2020 Sandelman Expires: 5 February 2021 Sandelman
T.T.E. Eckert T.T.E. Eckert
Futurewei USA Futurewei USA
M.H. Behringer M.H. Behringer
K.W. Watsen K.W. Watsen
Watsen Networks Watsen Networks
8 April 2020 4 August 2020
Bootstrapping Remote Secure Key Infrastructures (BRSKI) Bootstrapping Remote Secure Key Infrastructures (BRSKI)
draft-ietf-anima-bootstrapping-keyinfra-41 draft-ietf-anima-bootstrapping-keyinfra-42
Abstract Abstract
This document specifies automated bootstrapping of an Autonomic This document specifies automated bootstrapping of an Autonomic
Control Plane. To do this a Secure Key Infrastructure is Control Plane. To do this a Secure Key Infrastructure is
bootstrapped. This is done using manufacturer-installed X.509 bootstrapped. This is done using manufacturer-installed X.509
certificates, in combination with a manufacturer's authorizing certificates, in combination with a manufacturer's authorizing
service, both online and offline. We call this process the service, both online and offline. We call this process the
Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol.
Bootstrapping a new device can occur using a routable address and a Bootstrapping a new device can occur using a routable address and a
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 October 2020. This Internet-Draft will expire on 5 February 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 11 skipping to change at page 3, line 11
2.7. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 25 2.7. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 25
2.8. Determining the MASA to contact . . . . . . . . . . . . . 25 2.8. Determining the MASA to contact . . . . . . . . . . . . . 25
3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 26 3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 26
3.1. Nonceless Voucher Requests . . . . . . . . . . . . . . . 27 3.1. Nonceless Voucher Requests . . . . . . . . . . . . . . . 27
3.2. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 27 3.2. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 27
3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 29 3.4. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 29
4. Proxying details (Pledge - Proxy - Registrar) . . . . . . . . 32 4. Proxying details (Pledge - Proxy - Registrar) . . . . . . . . 32
4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 33 4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 33
4.1.1. Proxy GRASP announcements . . . . . . . . . . . . . . 35 4.1.1. Proxy GRASP announcements . . . . . . . . . . . . . . 35
4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 36 4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 37
4.3. Proxy discovery and communication of Registrar . . . . . 36 4.3. Proxy discovery and communication of Registrar . . . . . 37
5. Protocol Details (Pledge - Registrar - MASA) . . . . . . . . 38 5. Protocol Details (Pledge - Registrar - MASA) . . . . . . . . 38
5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 39 5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 40
5.2. Pledge Requests Voucher from the Registrar . . . . . . . 40 5.2. Pledge Requests Voucher from the Registrar . . . . . . . 41
5.3. Registrar Authorization of Pledge . . . . . . . . . . . . 42 5.3. Registrar Authorization of Pledge . . . . . . . . . . . . 43
5.4. BRSKI-MASA TLS establishment details . . . . . . . . . . 43 5.4. BRSKI-MASA TLS establishment details . . . . . . . . . . 43
5.4.1. MASA authentication of customer Registrar . . . . . . 43 5.4.1. MASA authentication of customer Registrar . . . . . . 44
5.5. Registrar Requests Voucher from MASA . . . . . . . . . . 44 5.5. Registrar Requests Voucher from MASA . . . . . . . . . . 45
5.5.1. MASA renewal of expired vouchers . . . . . . . . . . 46 5.5.1. MASA renewal of expired vouchers . . . . . . . . . . 47
5.5.2. MASA pinning of registrar . . . . . . . . . . . . . . 47 5.5.2. MASA pinning of registrar . . . . . . . . . . . . . . 48
5.5.3. MASA checking of voucher request signature . . . . . 47 5.5.3. MASA checking of voucher request signature . . . . . 48
5.5.4. MASA verification of domain registrar . . . . . . . . 48 5.5.4. MASA verification of domain registrar . . . . . . . . 49
5.5.5. MASA verification of pledge 5.5.5. MASA verification of pledge
prior-signed-voucher-request . . . . . . . . . . . . 49 prior-signed-voucher-request . . . . . . . . . . . . 50
5.5.6. MASA nonce handling . . . . . . . . . . . . . . . . . 49 5.5.6. MASA nonce handling . . . . . . . . . . . . . . . . . 50
5.6. MASA and Registrar Voucher Response . . . . . . . . . . . 49 5.6. MASA and Registrar Voucher Response . . . . . . . . . . . 50
5.6.1. Pledge voucher verification . . . . . . . . . . . . . 52 5.6.1. Pledge voucher verification . . . . . . . . . . . . . 53
5.6.2. Pledge authentication of provisional TLS 5.6.2. Pledge authentication of provisional TLS
connection . . . . . . . . . . . . . . . . . . . . . 53 connection . . . . . . . . . . . . . . . . . . . . . 54
5.7. Pledge BRSKI Status Telemetry . . . . . . . . . . . . . . 54 5.7. Pledge BRSKI Status Telemetry . . . . . . . . . . . . . . 55
5.8. Registrar audit-log request . . . . . . . . . . . . . . . 55 5.8. Registrar audit-log request . . . . . . . . . . . . . . . 56
5.8.1. MASA audit log response . . . . . . . . . . . . . . . 56 5.8.1. MASA audit log response . . . . . . . . . . . . . . . 57
5.8.2. Calculation of domainID . . . . . . . . . . . . . . . 59 5.8.2. Calculation of domainID . . . . . . . . . . . . . . . 60
5.8.3. Registrar audit log verification . . . . . . . . . . 59 5.8.3. Registrar audit log verification . . . . . . . . . . 60
5.9. EST Integration for PKI bootstrapping . . . . . . . . . . 61 5.9. EST Integration for PKI bootstrapping . . . . . . . . . . 62
5.9.1. EST Distribution of CA Certificates . . . . . . . . . 61 5.9.1. EST Distribution of CA Certificates . . . . . . . . . 62
5.9.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 61 5.9.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 62
5.9.3. EST Client Certificate Request . . . . . . . . . . . 62 5.9.3. EST Client Certificate Request . . . . . . . . . . . 63
5.9.4. Enrollment Status Telemetry . . . . . . . . . . . . . 62 5.9.4. Enrollment Status Telemetry . . . . . . . . . . . . . 63
5.9.5. Multiple certificates . . . . . . . . . . . . . . . . 64 5.9.5. Multiple certificates . . . . . . . . . . . . . . . . 65
5.9.6. EST over CoAP . . . . . . . . . . . . . . . . . . . . 64 5.9.6. EST over CoAP . . . . . . . . . . . . . . . . . . . . 65
6. Clarification of transfer-encoding . . . . . . . . . . . . . 64 6. Clarification of transfer-encoding . . . . . . . . . . . . . 65
7. Reduced security operational modes . . . . . . . . . . . . . 64 7. Reduced security operational modes . . . . . . . . . . . . . 65
7.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 65 7.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 66
7.2. Pledge security reductions . . . . . . . . . . . . . . . 65 7.2. Pledge security reductions . . . . . . . . . . . . . . . 67
7.3. Registrar security reductions . . . . . . . . . . . . . . 66 7.3. Registrar security reductions . . . . . . . . . . . . . . 68
7.4. MASA security reductions . . . . . . . . . . . . . . . . 67 7.4. MASA security reductions . . . . . . . . . . . . . . . . 69
7.4.1. Issuing Nonceless vouchers . . . . . . . . . . . . . 68 7.4.1. Issuing Nonceless vouchers . . . . . . . . . . . . . 69
7.4.2. Trusting Owners on First Use . . . . . . . . . . . . 68 7.4.2. Trusting Owners on First Use . . . . . . . . . . . . 70
7.4.3. Updating or extending voucher trust anchors . . . . . 69 7.4.3. Updating or extending voucher trust anchors . . . . . 70
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 70 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71
8.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 70 8.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 71
8.2. YANG Module Names Registry . . . . . . . . . . . . . . . 70 8.2. YANG Module Names Registry . . . . . . . . . . . . . . . 71
8.3. Well-known EST registration . . . . . . . . . . . . . . . 70 8.3. Well-known EST registration . . . . . . . . . . . . . . . 72
8.4. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 71 8.4. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 72
8.5. Pledge BRSKI Status Telemetry . . . . . . . . . . . . . . 71 8.5. Pledge BRSKI Status Telemetry . . . . . . . . . . . . . . 72
8.6. DNS Service Names . . . . . . . . . . . . . . . . . . . . 71 8.6. DNS Service Names . . . . . . . . . . . . . . . . . . . . 72
9. Applicability to the Autonomic Control Plane (ACP) . . . . . 72 9. Applicability to the Autonomic Control Plane (ACP) . . . . . 73
9.1. Operational Requirements . . . . . . . . . . . . . . . . 73 9.1. Operational Requirements . . . . . . . . . . . . . . . . 74
9.1.1. MASA Operational Requirements . . . . . . . . . . . . 73 9.1.1. MASA Operational Requirements . . . . . . . . . . . . 75
9.1.2. Domain Owner Operational Requirements . . . . . . . . 74 9.1.2. Domain Owner Operational Requirements . . . . . . . . 75
9.1.3. Device Operational Requirements . . . . . . . . . . . 75 9.1.3. Device Operational Requirements . . . . . . . . . . . 76
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 75 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 76
10.1. MASA audit log . . . . . . . . . . . . . . . . . . . . . 75 10.1. MASA audit log . . . . . . . . . . . . . . . . . . . . . 76
10.2. What BRSKI-EST reveals . . . . . . . . . . . . . . . . . 76 10.2. What BRSKI-EST reveals . . . . . . . . . . . . . . . . . 77
10.3. What BRSKI-MASA reveals to the manufacturer . . . . . . 77 10.3. What BRSKI-MASA reveals to the manufacturer . . . . . . 78
10.4. Manufacturers and Used or Stolen Equipment . . . . . . . 79 10.4. Manufacturers and Used or Stolen Equipment . . . . . . . 80
10.5. Manufacturers and Grey market equipment . . . . . . . . 80 10.5. Manufacturers and Grey market equipment . . . . . . . . 81
10.6. Some mitigations for meddling by manufacturers . . . . . 81 10.6. Some mitigations for meddling by manufacturers . . . . . 82
10.7. Death of a manufacturer . . . . . . . . . . . . . . . . 82 10.7. Death of a manufacturer . . . . . . . . . . . . . . . . 83
11. Security Considerations . . . . . . . . . . . . . . . . . . . 82 11. Security Considerations . . . . . . . . . . . . . . . . . . . 83
11.1. Denial of Service (DoS) against MASA . . . . . . . . . . 83 11.1. Denial of Service (DoS) against MASA . . . . . . . . . . 84
11.2. DomainID must be resistant to second-preimage attacks . 84 11.2. DomainID must be resistant to second-preimage attacks . 85
11.3. Availability of good random numbers . . . . . . . . . . 84 11.3. Availability of good random numbers . . . . . . . . . . 85
11.4. Freshness in Voucher-Requests . . . . . . . . . . . . . 84 11.4. Freshness in Voucher-Requests . . . . . . . . . . . . . 85
11.5. Trusting manufacturers . . . . . . . . . . . . . . . . . 85 11.5. Trusting manufacturers . . . . . . . . . . . . . . . . . 87
11.6. Manufacturer Maintenance of trust anchors . . . . . . . 86 11.6. Manufacturer Maintenance of trust anchors . . . . . . . 88
11.6.1. Compromise of Manufacturer IDevID signing keys . . . 88 11.6.1. Compromise of Manufacturer IDevID signing keys . . . 89
11.6.2. Compromise of MASA signing keys . . . . . . . . . . 88 11.6.2. Compromise of MASA signing keys . . . . . . . . . . 90
11.6.3. Compromise of MASA web service . . . . . . . . . . . 90 11.6.3. Compromise of MASA web service . . . . . . . . . . . 92
11.7. YANG Module Security Considerations . . . . . . . . . . 91 11.7. YANG Module Security Considerations . . . . . . . . . . 92
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 91 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 93
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 91 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 93
13.1. Normative References . . . . . . . . . . . . . . . . . . 91 13.1. Normative References . . . . . . . . . . . . . . . . . . 93
13.2. Informative References . . . . . . . . . . . . . . . . . 95 13.2. Informative References . . . . . . . . . . . . . . . . . 97
Appendix A. IPv4 and non-ANI operations . . . . . . . . . . . . 99 Appendix A. IPv4 and non-ANI operations . . . . . . . . . . . . 101
A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 99 A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 101
A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 99 A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 101
Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 99 Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 101
Appendix C. Example Vouchers . . . . . . . . . . . . . . . . . . 100 Appendix C. Example Vouchers . . . . . . . . . . . . . . . . . . 102
C.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 100 C.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 102
C.1.1. Manufacturer Certificate Authority for IDevID C.1.1. Manufacturer Certificate Authority for IDevID
signatures . . . . . . . . . . . . . . . . . . . . . 101 signatures . . . . . . . . . . . . . . . . . . . . . 102
C.1.2. MASA key pair for voucher signatures . . . . . . . . 102 C.1.2. MASA key pair for voucher signatures . . . . . . . . 104
C.1.3. Registrar Certificate Authority . . . . . . . . . . . 104 C.1.3. Registrar Certificate Authority . . . . . . . . . . . 106
C.1.4. Registrar key pair . . . . . . . . . . . . . . . . . 105 C.1.4. Registrar key pair . . . . . . . . . . . . . . . . . 107
C.1.5. Pledge key pair . . . . . . . . . . . . . . . . . . . 107 C.1.5. Pledge key pair . . . . . . . . . . . . . . . . . . . 109
C.2. Example process . . . . . . . . . . . . . . . . . . . . . 108 C.2. Example process . . . . . . . . . . . . . . . . . . . . . 110
C.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 108 C.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 110
C.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 112 C.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 114
C.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 118 C.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 120
Appendix D. Additional References . . . . . . . . . . . . . . . 122 Appendix D. Additional References . . . . . . . . . . . . . . . 124
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 122 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 124
1. Introduction 1. Introduction
The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol
provides a solution for secure zero-touch (automated) bootstrap of provides a solution for secure zero-touch (automated) bootstrap of
new (unconfigured) devices that are called pledges in this document. new (unconfigured) devices that are called pledges in this document.
Pledges have an IDevID installed in them at the factory. Pledges have an IDevID installed in them at the factory.
"BRSKI" is pronounced like "brewski", a colloquial term for beer in "BRSKI" is pronounced like "brewski", a colloquial term for beer in
Canada and parts of the US-midwest. [brewski] Canada and parts of the US-midwest. [brewski]
skipping to change at page 35, line 20 skipping to change at page 36, line 5
4.1.1. Proxy GRASP announcements 4.1.1. Proxy GRASP announcements
A proxy uses the DULL GRASP M_FLOOD mechanism to announce itself. A proxy uses the DULL GRASP M_FLOOD mechanism to announce itself.
This announcement can be within the same message as the ACP This announcement can be within the same message as the ACP
announcement detailed in [I-D.ietf-anima-autonomic-control-plane]. announcement detailed in [I-D.ietf-anima-autonomic-control-plane].
The formal Concise Data Definition Language (CDDL) [RFC8610] The formal Concise Data Definition Language (CDDL) [RFC8610]
definition is: definition is:
<CODE BEGINS> file "proxygrasp.cddl"
flood-message = [M_FLOOD, session-id, initiator, ttl, flood-message = [M_FLOOD, session-id, initiator, ttl,
+[objective, (locator-option / [])]] +[objective, (locator-option / [])]]
objective = ["AN_Proxy", objective-flags, loop-count, objective = ["AN_Proxy", objective-flags, loop-count,
objective-value] objective-value]
ttl = 180000 ; 180,000 ms (3 minutes) ttl = 180000 ; 180,000 ms (3 minutes)
initiator = ACP address to contact Registrar initiator = ACP address to contact Registrar
objective-flags = sync-only ; as in GRASP spec objective-flags = sync-only ; as in GRASP spec
sync-only = 4 ; M_FLOOD only requires synchronization sync-only = 4 ; M_FLOOD only requires synchronization
loop-count = 1 ; one hop only loop-count = 1 ; one hop only
objective-value = any ; none objective-value = any ; none
locator-option = [ O_IPv6_LOCATOR, ipv6-address, locator-option = [ O_IPv6_LOCATOR, ipv6-address,
transport-proto, port-number ] transport-proto, port-number ]
ipv6-address = the v6 LL of the Proxy ipv6-address = the v6 LL of the Proxy
$transport-proto /= IPPROTO_TCP ; note this can be any value from the $transport-proto /= IPPROTO_TCP ; note this can be any value from the
; IANA protocol registry, as per ; IANA protocol registry, as per
; [GRASP] section 2.9.5.1, note 3. ; [GRASP] section 2.9.5.1, note 3.
port-number = selected by Proxy port-number = selected by Proxy
<CODE ENDS>
Figure 10: CDDL definition of Proxy Discovery message Figure 10: CDDL definition of Proxy Discovery message
Here is an example M_FLOOD announcing a proxy at fe80::1, on TCP port Here is an example M_FLOOD announcing a proxy at fe80::1, on TCP port
4443. 4443.
[M_FLOOD, 12340815, h'fe800000000000000000000000000001', 180000, [M_FLOOD, 12340815, h'fe800000000000000000000000000001', 180000,
["AN_Proxy", 4, 1, ""], [["AN_Proxy", 4, 1, ""],
[O_IPv6_LOCATOR, [O_IPv6_LOCATOR,
h'fe800000000000000000000000000001', IPPROTO_TCP, 4443]] h'fe800000000000000000000000000001', IPPROTO_TCP, 4443]]]
Figure 11: Example of Proxy Discovery message Figure 11: Example of Proxy Discovery message
On a small network the Registrar MAY include the GRASP M_FLOOD On a small network the Registrar MAY include the GRASP M_FLOOD
announcements to locally connected networks. announcements to locally connected networks.
The $transport-proto above indicates the method that the pledge- The $transport-proto above indicates the method that the pledge-
proxy-registrar will use. The TCP method described here is proxy-registrar will use. The TCP method described here is
mandatory, and other proxy methods, such as CoAP methods not defined mandatory, and other proxy methods, such as CoAP methods not defined
in this document are optional. Other methods MUST NOT be enabled in this document are optional. Other methods MUST NOT be enabled
skipping to change at page 36, line 34 skipping to change at page 37, line 24
determine what kind of connections can be terminated. determine what kind of connections can be terminated.
The registrar announces itself using ACP instance of GRASP using The registrar announces itself using ACP instance of GRASP using
M_FLOOD messages. A registrar may announce any convenient port M_FLOOD messages. A registrar may announce any convenient port
number, including using a stock port 443. ANI proxies MUST support number, including using a stock port 443. ANI proxies MUST support
GRASP discovery of registrars. GRASP discovery of registrars.
The M_FLOOD is formatted as follows: The M_FLOOD is formatted as follows:
[M_FLOOD, 12340815, h'fda379a6f6ee00000200000064000001', 180000, [M_FLOOD, 12340815, h'fda379a6f6ee00000200000064000001', 180000,
["AN_join_registrar", 4, 255, "EST-TLS"], [["AN_join_registrar", 4, 255, "EST-TLS"],
[O_IPv6_LOCATOR, [O_IPv6_LOCATOR,
h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443]] h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443]]]
Figure 12: An example of a Registrar announcement message Figure 12: An example of a Registrar announcement message
The formal CDDL definition is: The formal CDDL definition is:
<CODE BEGINS> file "jrcgrasp.cddl"
flood-message = [M_FLOOD, session-id, initiator, ttl, flood-message = [M_FLOOD, session-id, initiator, ttl,
+[objective, (locator-option / [])]] +[objective, (locator-option / [])]]
objective = ["AN_join_registrar", objective-flags, loop-count, objective = ["AN_join_registrar", objective-flags, loop-count,
objective-value] objective-value]
initiator = ACP address to contact Registrar initiator = ACP address to contact Registrar
objective-flags = sync-only ; as in GRASP spec objective-flags = sync-only ; as in GRASP spec
sync-only = 4 ; M_FLOOD only requires synchronization sync-only = 4 ; M_FLOOD only requires synchronization
loop-count = 255 ; mandatory maximum loop-count = 255 ; mandatory maximum
objective-value = text ; name of the (list of) of supported objective-value = text ; name of the (list of) of supported
; protocols: "EST-TLS" for RFC7030. ; protocols: "EST-TLS" for RFC7030.
<CODE ENDS>
Figure 13: CDDL definition for Registrar announcement message Figure 13: CDDL definition for Registrar announcement message
The M_FLOOD message MUST be sent periodically. The default period The M_FLOOD message MUST be sent periodically. The default period
SHOULD be 60 seconds, the value SHOULD be operator configurable but SHOULD be 60 seconds, the value SHOULD be operator configurable but
SHOULD NOT be smaller than 60 seconds. The frequency of sending MUST SHOULD NOT be smaller than 60 seconds. The frequency of sending MUST
be such that the aggregate amount of periodic M_FLOODs from all be such that the aggregate amount of periodic M_FLOODs from all
flooding sources cause only negligible traffic across the ACP. flooding sources cause only negligible traffic across the ACP.
Here are some examples of locators for illustrative purposes. Only Here are some examples of locators for illustrative purposes. Only
skipping to change at page 47, line 33 skipping to change at page 48, line 24
section. The intention is not to authenticate the message as having section. The intention is not to authenticate the message as having
come from a fully validated origin, but to establish the consistency come from a fully validated origin, but to establish the consistency
of the domain PKI. of the domain PKI.
The MASA MAY use the certificate farthest in the chain chain that it The MASA MAY use the certificate farthest in the chain chain that it
received from the Registrar from the end-entity, as determined by received from the Registrar from the end-entity, as determined by
MASA policy. A MASA MAY have a local policy that it only pins the MASA policy. A MASA MAY have a local policy that it only pins the
End-Entity certificate. This is consistent with [RFC8366]. Details End-Entity certificate. This is consistent with [RFC8366]. Details
of the policy will typically depend upon the degree of Supply Chain of the policy will typically depend upon the degree of Supply Chain
Integration, and the mechanism used by the Registrar to authenticate. Integration, and the mechanism used by the Registrar to authenticate.
Such a policy would also determine how a the MASA will respond to a Such a policy would also determine how the MASA will respond to a
request for a nonceless voucher. request for a nonceless voucher.
5.5.3. MASA checking of voucher request signature 5.5.3. MASA checking of voucher request signature
As described in Section 5.5.2, the MASA has extracted Registrar's As described in Section 5.5.2, the MASA has extracted Registrar's
domain CA. This is used to validate the CMS signature ([RFC5652]) on domain CA. This is used to validate the CMS signature ([RFC5652]) on
the voucher-request. the voucher-request.
Normal PKIX revocation checking is assumed during voucher-request Normal PKIX revocation checking is assumed during voucher-request
signature validation. This CA certificate MAY have Certificate signature validation. This CA certificate MAY have Certificate
skipping to change at page 53, line 38 skipping to change at page 54, line 45
active MITM attack on the EST connection. active MITM attack on the EST connection.
The registrar MUST use a certificate that chains to the pinned- The registrar MUST use a certificate that chains to the pinned-
domain-cert as its TLS server certificate. domain-cert as its TLS server certificate.
The pledge's PKIX path validation of a registrar certificate's The pledge's PKIX path validation of a registrar certificate's
validity period information is as described in Section 2.6.1. Once validity period information is as described in Section 2.6.1. Once
the PKIX path validation is successful the TLS connection is no the PKIX path validation is successful the TLS connection is no
longer provisional. longer provisional.
The pinned-domain-cert MAY be installed as an trust anchor for future The pinned-domain-cert MAY be installed as a trust anchor for future
operations such as enrollment (e.g. [RFC7030] as recommended) or operations such as enrollment (e.g. [RFC7030] as recommended) or
trust anchor management or raw protocols that do not need full PKI trust anchor management or raw protocols that do not need full PKI
based key management. It can be used to authenticate any dynamically based key management. It can be used to authenticate any dynamically
discovered EST server that contain the id-kp-cmcRA extended key usage discovered EST server that contain the id-kp-cmcRA extended key usage
extension as detailed in EST RFC7030 section 3.6.1; but to reduce extension as detailed in EST RFC7030 section 3.6.1; but to reduce
system complexity the pledge SHOULD avoid additional discovery system complexity the pledge SHOULD avoid additional discovery
operations. Instead the pledge SHOULD communicate directly with the operations. Instead the pledge SHOULD communicate directly with the
registrar as the EST server. The 'pinned-domain-cert' is not a registrar as the EST server. The 'pinned-domain-cert' is not a
complete distribution of the [RFC7030] section 4.1.3 CA Certificate complete distribution of the [RFC7030] section 4.1.3 CA Certificate
Response, which is an additional justification for the recommendation Response, which is an additional justification for the recommendation
skipping to change at page 57, line 5 skipping to change at page 58, line 5
A log data file is returned consisting of all log entries associated A log data file is returned consisting of all log entries associated
with the device selected by the IDevID presented in the request. The with the device selected by the IDevID presented in the request. The
audit log may be abridged by removal of old or repeated values as audit log may be abridged by removal of old or repeated values as
explained below. The returned data is in JSON format ([RFC8259]), explained below. The returned data is in JSON format ([RFC8259]),
and the Content-Type SHOULD be "application/json". and the Content-Type SHOULD be "application/json".
The following CDDL ([RFC8610]) explains the structure of the JSON The following CDDL ([RFC8610]) explains the structure of the JSON
format audit-log response: format audit-log response:
<CODE BEGINS> file "auditlog.cddl"
audit-log-response = { audit-log-response = {
"version": uint, "version": uint,
"events": [ + event ] "events": [ + event ]
"truncation": { "truncation": {
? "nonced duplicates": uint, ? "nonced duplicates": uint,
? "nonceless duplicates": uint, ? "nonceless duplicates": uint,
? "arbitrary": uint, ? "arbitrary": uint,
} }
} }
event = { event = {
"date": text, "date": text,
"domainID": text, "domainID": text,
"nonce": text / null, "nonce": text / null,
"assertion": "verified" / "logged" / "proximity", "assertion": "verified" / "logged" / "proximity",
? "truncated": uint, ? "truncated": uint,
} }
<CODE ENDS>
Figure 16: CDDL for audit-log response Figure 16: CDDL for audit-log response
An example: An example:
{ {
"version":"1", "version":"1",
"events":[ "events":[
{ {
"date":"2019-05-15T17:25:55.644-04:00", "date":"2019-05-15T17:25:55.644-04:00",
skipping to change at page 59, line 11 skipping to change at page 60, line 13
distributed consensus technologies that integrate vouchers with distributed consensus technologies that integrate vouchers with
technologies such as block-chain or hash trees or optimized logging technologies such as block-chain or hash trees or optimized logging
approaches. Doing so is out of the scope of this document but is an approaches. Doing so is out of the scope of this document but is an
anticipated improvement for future work. As such, the registrar anticipated improvement for future work. As such, the registrar
SHOULD anticipate new kinds of responses, and SHOULD provide operator SHOULD anticipate new kinds of responses, and SHOULD provide operator
controls to indicate how to process unknown responses. controls to indicate how to process unknown responses.
5.8.2. Calculation of domainID 5.8.2. Calculation of domainID
The domainID is a binary value (a BIT STRING) that uniquely The domainID is a binary value (a BIT STRING) that uniquely
identifies a Registrar by the "pinned-domain-cert" identifies a Registrar by the "pinned-domain-cert".
If the "pinned-domain-cert" certificate includes the If the "pinned-domain-cert" certificate includes the
SubjectKeyIdentifier (Section 4.2.1.2 [RFC5280]), then it is to be SubjectKeyIdentifier (Section 4.2.1.2 [RFC5280]), then it is to be
used as the domainID. If not, the SPKI Fingerprint as described in used as the domainID. If not, the SPKI Fingerprint as described in
[RFC7469] section 2.4 is to be used. This value needs to be [RFC7469] section 2.4 is to be used. This value needs to be
calculated by both MASA (to populate the audit-log), and by the calculated by both MASA (to populate the audit-log), and by the
Registrar (to recognize itself in the audit log). Registrar (to recognize itself in the audit log).
[RFC5280] section 4.2.1.2 does not mandate that the [RFC5280] section 4.2.1.2 does not mandate that the
SubjectKeyIdentifier extension be present in non-CA certificates. It SubjectKeyIdentifier extension be present in non-CA certificates. It
skipping to change at page 63, line 24 skipping to change at page 64, line 26
what the client provides.) what the client provides.)
The reason-context attribute is an arbitrary JSON object (literal The reason-context attribute is an arbitrary JSON object (literal
value or hash of values) which provides additional information value or hash of values) which provides additional information
specific to the failure to unroll from this pledge. The contents of specific to the failure to unroll from this pledge. The contents of
this field are not subject to standardization. This is represented this field are not subject to standardization. This is represented
by the group-socket "$$arbitrary-map" in the CDDL. by the group-socket "$$arbitrary-map" in the CDDL.
In the case of a SUCCESS the Reason string is omitted. In the case of a SUCCESS the Reason string is omitted.
<CODE BEGINS> file "enrollstatus.cddl"
enrollstatus-post = { enrollstatus-post = {
"version": uint, "version": uint,
"status": bool, "status": bool,
"reason": text, "reason": text,
? "reason-context" : { $$arbitrary-map } ? "reason-context" : { $$arbitrary-map }
} }
} }
<CODE ENDS>
Figure 18: CDDL for enrollment status POST Figure 18: CDDL for enrollment status POST
An example status report can be seen below. It is sent with with the An example status report can be seen below. It is sent with with the
media type: application/json media type: application/json
{ {
"version":"1", "version":"1",
"status":true, "status":true,
"reason":"Informative human readable message", "reason":"Informative human readable message",
skipping to change at page 70, line 39 skipping to change at page 72, line 5
URI: urn:ietf:params:xml:ns:yang:ietf-voucher-request URI: urn:ietf:params:xml:ns:yang:ietf-voucher-request
Registrant Contact: The ANIMA WG of the IETF. Registrant Contact: The ANIMA WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
8.2. YANG Module Names Registry 8.2. YANG Module Names Registry
This document registers a YANG module in the "YANG Module Names" This document registers a YANG module in the "YANG Module Names"
registry [RFC6020]. IANA is asked to register the following: registry [RFC6020]. IANA is asked to register the following:
name: ietf-voucher-request name: ietf-voucher-request
namespace: urn:ietf:params:xml:ns:yang:ietf-voucher-request namespace: urn:ietf:params:xml:ns:yang:ietf-voucher-request
prefix: vch prefix: vch
reference: THIS DOCUMENT reference: THIS DOCUMENT
8.3. Well-known EST registration 8.3. Well-known EST registration
This document extends the definitions of "est" (so far defined via This document extends the definitions of "est" (so far defined via
RFC7030) in the "https://www.iana.org/assignments/well-known-uris/ RFC7030) in the "https://www.iana.org/assignments/well-known-uris/
well-known-uris.xhtml" registry. IANA is asked to change the well-known-uris.xhtml" registry. IANA is asked to change the
registration of "est" to include RFC7030 and this document. registration of "est" to include RFC7030 and this document.
8.4. PKIX Registry 8.4. PKIX Registry
skipping to change at page 75, line 19 skipping to change at page 76, line 31
Device MUST come with (unique, per-device) IDevID certificates that Device MUST come with (unique, per-device) IDevID certificates that
include their serial numbers, and the MASA URL extension. include their serial numbers, and the MASA URL extension.
Devices are expected to find Join Proxies using GRASP, and then Devices are expected to find Join Proxies using GRASP, and then
connect to the JRC using the protocol described in this document. connect to the JRC using the protocol described in this document.
Once a domain owner has been validated with the voucher, devices are Once a domain owner has been validated with the voucher, devices are
expected to enroll into the domain using EST. Devices are then expected to enroll into the domain using EST. Devices are then
expected to form ACPs using IPsec over IPv6 Link-Local addresses as expected to form ACPs using IPsec over IPv6 Link-Local addresses as
described in [I-D.ietf-anima-autonomic-control-plane] described in [I-D.ietf-anima-autonomic-control-plane].
Once a device has been enrolled it SHOULD listen for the address of Once a device has been enrolled it SHOULD listen for the address of
the JRC using GRASP, and it SHOULD enable itself as a Join Proxy, and the JRC using GRASP, and it SHOULD enable itself as a Join Proxy, and
announce itself on all links/interfaces using GRASP DULL. announce itself on all links/interfaces using GRASP DULL.
Devices are expected to renew their certificates before they expire. Devices are expected to renew their certificates before they expire.
10. Privacy Considerations 10. Privacy Considerations
10.1. MASA audit log 10.1. MASA audit log
skipping to change at page 96, line 38 skipping to change at page 98, line 30
[I-D.ietf-anima-reference-model] [I-D.ietf-anima-reference-model]
Behringer, M., Carpenter, B., Eckert, T., Ciavaglia, L., Behringer, M., Carpenter, B., Eckert, T., Ciavaglia, L.,
and J. Nobre, "A Reference Model for Autonomic and J. Nobre, "A Reference Model for Autonomic
Networking", Work in Progress, Internet-Draft, draft-ietf- Networking", Work in Progress, Internet-Draft, draft-ietf-
anima-reference-model-10, 22 November 2018, anima-reference-model-10, 22 November 2018,
<http://www.ietf.org/internet-drafts/draft-ietf-anima- <http://www.ietf.org/internet-drafts/draft-ietf-anima-
reference-model-10.txt>. reference-model-10.txt>.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", Work in Watsen, K., "A YANG Data Model for a Keystore", Work in
Progress, Internet-Draft, draft-ietf-netconf-keystore-16, Progress, Internet-Draft, draft-ietf-netconf-keystore-17,
8 March 2020, <http://www.ietf.org/internet-drafts/draft- 20 May 2020, <http://www.ietf.org/internet-drafts/draft-
ietf-netconf-keystore-16.txt>. ietf-netconf-keystore-17.txt>.
[I-D.richardson-anima-state-for-joinrouter] [I-D.richardson-anima-state-for-joinrouter]
Richardson, M., "Considerations for stateful vs stateless Richardson, M., "Considerations for stateful vs stateless
join router in ANIMA bootstrap", Work in Progress, join router in ANIMA bootstrap", Work in Progress,
Internet-Draft, draft-richardson-anima-state-for- Internet-Draft, draft-richardson-anima-state-for-
joinrouter-02, 25 January 2018, <http://www.ietf.org/ joinrouter-02, 25 January 2018, <http://www.ietf.org/
internet-drafts/draft-richardson-anima-state-for- internet-drafts/draft-richardson-anima-state-for-
joinrouter-02.txt>. joinrouter-02.txt>.
[imprinting] [imprinting]
skipping to change at page 109, line 43 skipping to change at page 111, line 43
eGFtcGxlLmNvbSBDQQIEDYXcLTALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN eGFtcGxlLmNvbSBDQQIEDYXcLTALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMjUyMzA0NDhaMC8GCSqGSIb3DQEJBDEiBCCx6IrwstHF AQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMjUyMzA0NDhaMC8GCSqGSIb3DQEJBDEiBCCx6IrwstHF
609Y0EqDK62QKby4duyyIWudvs15M16BBTAKBggqhkjOPQQDAgRHMEUCIBxwA1UlkIkuQDf/j7kZ 609Y0EqDK62QKby4duyyIWudvs15M16BBTAKBggqhkjOPQQDAgRHMEUCIBxwA1UlkIkuQDf/j7kZ
/MVefgr141+hKBFgrnNngjwpAiEAy8aXt0GSB9m1bmiEUpefCEhxSv2xLYurGlugv0dfr/E= /MVefgr141+hKBFgrnNngjwpAiEAy8aXt0GSB9m1bmiEUpefCEhxSv2xLYurGlugv0dfr/E=
<CODE ENDS> <CODE ENDS>
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
file: examples/vr_00-D0-E5-F2-00-02.b64 file: examples/vr_00-D0-E5-F2-00-02.b64
0:d=0 hl=4 l=1759 cons: SEQUENCE 0:d=0 hl=4 l=1759 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=1744 cons: cont [ 0 ] 15:d=1 hl=4 l=1744 cons: cont [ 0 ]
19:d=2 hl=4 l=1740 cons: SEQUENCE 19:d=2 hl=4 l=1740 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01 23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 13 cons: SET 26:d=3 hl=2 l= 13 cons: SET
28:d=4 hl=2 l= 11 cons: SEQUENCE 28:d=4 hl=2 l= 11 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256 30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=3 hl=4 l= 905 cons: SEQUENCE 41:d=3 hl=4 l= 905 cons: SEQUENCE
45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
56:d=4 hl=4 l= 890 cons: cont [ 0 ] 56:d=4 hl=4 l= 890 cons: cont [ 0 ]
60:d=5 hl=4 l= 886 prim: OCTET STRING :{"ietf-voucher-request:v 60:d=5 hl=4 l= 886 prim: OCTET STRING :{"ietf-voucher-request:v
950:d=3 hl=4 l= 490 cons: cont [ 0 ] 950:d=3 hl=4 l= 490 cons: cont [ 0 ]
954:d=4 hl=4 l= 486 cons: SEQUENCE 954:d=4 hl=4 l= 486 cons: SEQUENCE
958:d=5 hl=4 l= 364 cons: SEQUENCE 958:d=5 hl=4 l= 364 cons: SEQUENCE
962:d=6 hl=2 l= 3 cons: cont [ 0 ] 962:d=6 hl=2 l= 3 cons: cont [ 0 ]
964:d=7 hl=2 l= 1 prim: INTEGER :02 964:d=7 hl=2 l= 1 prim: INTEGER :02
967:d=6 hl=2 l= 4 prim: INTEGER :0D85DC2D 967:d=6 hl=2 l= 4 prim: INTEGER :0D85DC2D
973:d=6 hl=2 l= 10 cons: SEQUENCE 973:d=6 hl=2 l= 10 cons: SEQUENCE
975:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 975:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
985:d=6 hl=2 l= 93 cons: SEQUENCE 985:d=6 hl=2 l= 93 cons: SEQUENCE
987:d=7 hl=2 l= 15 cons: SET 987:d=7 hl=2 l= 15 cons: SET
989:d=8 hl=2 l= 13 cons: SEQUENCE 989:d=8 hl=2 l= 13 cons: SEQUENCE
991:d=9 hl=2 l= 3 prim: OBJECT :countryName 991:d=9 hl=2 l= 3 prim: OBJECT :countryName
996:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada 996:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada
1004:d=7 hl=2 l= 16 cons: SET 1004:d=7 hl=2 l= 16 cons: SET
1006:d=8 hl=2 l= 14 cons: SEQUENCE 1006:d=8 hl=2 l= 14 cons: SEQUENCE
1008:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 1008:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
1013:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario 1013:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario
1022:d=7 hl=2 l= 18 cons: SET 1022:d=7 hl=2 l= 18 cons: SET
1024:d=8 hl=2 l= 16 cons: SEQUENCE 1024:d=8 hl=2 l= 16 cons: SEQUENCE
1026:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 1026:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1031:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman 1031:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman
1042:d=7 hl=2 l= 36 cons: SET 1042:d=7 hl=2 l= 36 cons: SET
1044:d=8 hl=2 l= 34 cons: SEQUENCE 1044:d=8 hl=2 l= 34 cons: SEQUENCE
1046:d=9 hl=2 l= 3 prim: OBJECT :commonName 1046:d=9 hl=2 l= 3 prim: OBJECT :commonName
1051:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com 1051:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com
1080:d=6 hl=2 l= 32 cons: SEQUENCE 1080:d=6 hl=2 l= 32 cons: SEQUENCE
1082:d=7 hl=2 l= 13 prim: UTCTIME :200203064720Z 1082:d=7 hl=2 l= 13 prim: UTCTIME :200203064720Z
1097:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :29991231000000Z 1097:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :29991231000000Z
1114:d=6 hl=2 l= 28 cons: SEQUENCE 1114:d=6 hl=2 l= 28 cons: SEQUENCE
1116:d=7 hl=2 l= 26 cons: SET 1116:d=7 hl=2 l= 26 cons: SET
1118:d=8 hl=2 l= 24 cons: SEQUENCE 1118:d=8 hl=2 l= 24 cons: SEQUENCE
1120:d=9 hl=2 l= 3 prim: OBJECT :serialNumber 1120:d=9 hl=2 l= 3 prim: OBJECT :serialNumber
1125:d=9 hl=2 l= 17 prim: UTF8STRING :00-D0-E5-F2-00-02 1125:d=9 hl=2 l= 17 prim: UTF8STRING :00-D0-E5-F2-00-02
1144:d=6 hl=2 l= 89 cons: SEQUENCE 1144:d=6 hl=2 l= 89 cons: SEQUENCE
1146:d=7 hl=2 l= 19 cons: SEQUENCE 1146:d=7 hl=2 l= 19 cons: SEQUENCE
1148:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 1148:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
1157:d=8 hl=2 l= 8 prim: OBJECT :prime256v1 1157:d=8 hl=2 l= 8 prim: OBJECT :prime256v1
1167:d=7 hl=2 l= 66 prim: BIT STRING 1167:d=7 hl=2 l= 66 prim: BIT STRING
1235:d=6 hl=2 l= 89 cons: cont [ 3 ] 1235:d=6 hl=2 l= 89 cons: cont [ 3 ]
1237:d=7 hl=2 l= 87 cons: SEQUENCE 1237:d=7 hl=2 l= 87 cons: SEQUENCE
1239:d=8 hl=2 l= 29 cons: SEQUENCE 1239:d=8 hl=2 l= 29 cons: SEQUENCE
1241:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Ident 1241:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Ident
1246:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04144588CC9696 1246:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04144588CC9696
1270:d=8 hl=2 l= 9 cons: SEQUENCE 1270:d=8 hl=2 l= 9 cons: SEQUENCE
1272:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 1272:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1277:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 1277:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
1281:d=8 hl=2 l= 43 cons: SEQUENCE 1281:d=8 hl=2 l= 43 cons: SEQUENCE
1283:d=9 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.1.32 1283:d=9 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.1.32
1293:d=9 hl=2 l= 31 prim: OCTET STRING [HEX DUMP]:0C1D6869676877 1293:d=9 hl=2 l= 31 prim: OCTET STRING [HEX DUMP]:0C1D6869676877
1326:d=5 hl=2 l= 10 cons: SEQUENCE 1326:d=5 hl=2 l= 10 cons: SEQUENCE
1328:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 1328:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
1338:d=5 hl=2 l= 104 prim: BIT STRING 1338:d=5 hl=2 l= 104 prim: BIT STRING
1444:d=3 hl=4 l= 315 cons: SET 1444:d=3 hl=4 l= 315 cons: SET
1448:d=4 hl=4 l= 311 cons: SEQUENCE 1448:d=4 hl=4 l= 311 cons: SEQUENCE
1452:d=5 hl=2 l= 1 prim: INTEGER :01 1452:d=5 hl=2 l= 1 prim: INTEGER :01
1455:d=5 hl=2 l= 101 cons: SEQUENCE 1455:d=5 hl=2 l= 101 cons: SEQUENCE
1457:d=6 hl=2 l= 93 cons: SEQUENCE 1457:d=6 hl=2 l= 93 cons: SEQUENCE
1459:d=7 hl=2 l= 15 cons: SET 1459:d=7 hl=2 l= 15 cons: SET
1461:d=8 hl=2 l= 13 cons: SEQUENCE 1461:d=8 hl=2 l= 13 cons: SEQUENCE
1463:d=9 hl=2 l= 3 prim: OBJECT :countryName 1463:d=9 hl=2 l= 3 prim: OBJECT :countryName
1468:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada 1468:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada
1476:d=7 hl=2 l= 16 cons: SET 1476:d=7 hl=2 l= 16 cons: SET
1478:d=8 hl=2 l= 14 cons: SEQUENCE 1478:d=8 hl=2 l= 14 cons: SEQUENCE
1480:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 1480:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
1485:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario 1485:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario
1494:d=7 hl=2 l= 18 cons: SET 1494:d=7 hl=2 l= 18 cons: SET
1496:d=8 hl=2 l= 16 cons: SEQUENCE 1496:d=8 hl=2 l= 16 cons: SEQUENCE
1498:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 1498:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1503:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman 1503:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman
1514:d=7 hl=2 l= 36 cons: SET 1514:d=7 hl=2 l= 36 cons: SET
1516:d=8 hl=2 l= 34 cons: SEQUENCE 1516:d=8 hl=2 l= 34 cons: SEQUENCE
1518:d=9 hl=2 l= 3 prim: OBJECT :commonName 1518:d=9 hl=2 l= 3 prim: OBJECT :commonName
1523:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com 1523:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com
1552:d=6 hl=2 l= 4 prim: INTEGER :0D85DC2D 1552:d=6 hl=2 l= 4 prim: INTEGER :0D85DC2D
1558:d=5 hl=2 l= 11 cons: SEQUENCE 1558:d=5 hl=2 l= 11 cons: SEQUENCE
1560:d=6 hl=2 l= 9 prim: OBJECT :sha256 1560:d=6 hl=2 l= 9 prim: OBJECT :sha256
1571:d=5 hl=2 l= 105 cons: cont [ 0 ] 1571:d=5 hl=2 l= 105 cons: cont [ 0 ]
1573:d=6 hl=2 l= 24 cons: SEQUENCE 1573:d=6 hl=2 l= 24 cons: SEQUENCE
1575:d=7 hl=2 l= 9 prim: OBJECT :contentType 1575:d=7 hl=2 l= 9 prim: OBJECT :contentType
1586:d=7 hl=2 l= 11 cons: SET 1586:d=7 hl=2 l= 11 cons: SET
1588:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data 1588:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
1599:d=6 hl=2 l= 28 cons: SEQUENCE 1599:d=6 hl=2 l= 28 cons: SEQUENCE
1601:d=7 hl=2 l= 9 prim: OBJECT :signingTime 1601:d=7 hl=2 l= 9 prim: OBJECT :signingTime
1612:d=7 hl=2 l= 15 cons: SET 1612:d=7 hl=2 l= 15 cons: SET
1614:d=8 hl=2 l= 13 prim: UTCTIME :200225230448Z 1614:d=8 hl=2 l= 13 prim: UTCTIME :200225230448Z
1629:d=6 hl=2 l= 47 cons: SEQUENCE 1629:d=6 hl=2 l= 47 cons: SEQUENCE
1631:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 1631:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
1642:d=7 hl=2 l= 34 cons: SET 1642:d=7 hl=2 l= 34 cons: SET
1644:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:B1E88AF0B2D1C5 1644:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:B1E88AF0B2D1C5
1678:d=5 hl=2 l= 10 cons: SEQUENCE 1678:d=5 hl=2 l= 10 cons: SEQUENCE
1680:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 1680:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
1690:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:304502201C7003 1690:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:304502201C7003
The JSON contained in the voucher request: The JSON contained in the voucher request:
{"ietf-voucher-request:voucher":{"assertion":"proximity","cr {"ietf-voucher-request:voucher":{"assertion":"proximity","cr
eated-on":"2020-02-25T18:04:48.652-05:00","serial-number":"0 eated-on":"2020-02-25T18:04:48.652-05:00","serial-number":"0
0-D0-E5-F2-00-02","nonce":"aMjgueKUT-22wVimj6z27Q","proximit 0-D0-E5-F2-00-02","nonce":"aMjgueKUT-22wVimj6z27Q","proximit
y-registrar-cert":"MIIB/DCCAYKgAwIBAgIEP5ibUjAKBggqhkjOPQQDA y-registrar-cert":"MIIB/DCCAYKgAwIBAgIEP5ibUjAKBggqhkjOPQQDA
jBtMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZ jBtMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZ
WxtYW4xPDA6BgNVBAMMM2ZvdW50YWluLXRlc3QuZXhhbXBsZS5jb20gVW5zd WxtYW4xPDA6BgNVBAMMM2ZvdW50YWluLXRlc3QuZXhhbXBsZS5jb20gVW5zd
HJ1bmcgRm91bnRhaW4gUm9vdCBDQTAeFw0yMDAyMjUyMTMxNTRaFw0yMjAyM HJ1bmcgRm91bnRhaW4gUm9vdCBDQTAeFw0yMDAyMjUyMTMxNTRaFw0yMjAyM
skipping to change at page 114, line 8 skipping to change at page 116, line 8
PDA6BgNVBAMMM2ZvdW50YWluLXRlc3QuZXhhbXBsZS5jb20gVW5zdHJ1bmcgRm91bnRhaW4gUm9v PDA6BgNVBAMMM2ZvdW50YWluLXRlc3QuZXhhbXBsZS5jb20gVW5zdHJ1bmcgRm91bnRhaW4gUm9v
dCBDQQIEP5ibUjALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG dCBDQQIEP5ibUjALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0yMDAyMjUyMzA0NDlaMC8GCSqGSIb3DQEJBDEiBCA9gYxR1sS0giII3PwvOK/N SIb3DQEJBTEPFw0yMDAyMjUyMzA0NDlaMC8GCSqGSIb3DQEJBDEiBCA9gYxR1sS0giII3PwvOK/N
5RUBwjSL/cDcrH/Bd+E1ajAKBggqhkjOPQQDAgRHMEUCIFieXZaO7P9eZMpCVn2laB4czw7I0s0P 5RUBwjSL/cDcrH/Bd+E1ajAKBggqhkjOPQQDAgRHMEUCIFieXZaO7P9eZMpCVn2laB4czw7I0s0P
s9+frcJtEBTTAiEAhCcB//qmgqcEA+90mquvVNENmFH9dxCH8Ihhz6SCVDI= s9+frcJtEBTTAiEAhCcB//qmgqcEA+90mquvVNENmFH9dxCH8Ihhz6SCVDI=
<CODE ENDS> <CODE ENDS>
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
file: examples/parboiled_vr_00_D0-E5-02-00-2D.b64 file: examples/parboiled_vr_00_D0-E5-02-00-2D.b64
0:d=0 hl=4 l=4087 cons: SEQUENCE 0:d=0 hl=4 l=4087 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=4072 cons: cont [ 0 ] 15:d=1 hl=4 l=4072 cons: cont [ 0 ]
19:d=2 hl=4 l=4068 cons: SEQUENCE 19:d=2 hl=4 l=4068 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01 23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 13 cons: SET 26:d=3 hl=2 l= 13 cons: SET
28:d=4 hl=2 l= 11 cons: SEQUENCE 28:d=4 hl=2 l= 11 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256 30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=3 hl=4 l=2572 cons: SEQUENCE 41:d=3 hl=4 l=2572 cons: SEQUENCE
45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
56:d=4 hl=4 l=2557 cons: cont [ 0 ] 56:d=4 hl=4 l=2557 cons: cont [ 0 ]
60:d=5 hl=4 l=2553 prim: OCTET STRING :{"ietf-voucher-request:v 60:d=5 hl=4 l=2553 prim: OCTET STRING :{"ietf-voucher-request:v
2617:d=3 hl=4 l=1135 cons: cont [ 0 ] 2617:d=3 hl=4 l=1135 cons: cont [ 0 ]
2621:d=4 hl=4 l= 508 cons: SEQUENCE 2621:d=4 hl=4 l= 508 cons: SEQUENCE
2625:d=5 hl=4 l= 386 cons: SEQUENCE 2625:d=5 hl=4 l= 386 cons: SEQUENCE
2629:d=6 hl=2 l= 3 cons: cont [ 0 ] 2629:d=6 hl=2 l= 3 cons: cont [ 0 ]
2631:d=7 hl=2 l= 1 prim: INTEGER :02 2631:d=7 hl=2 l= 1 prim: INTEGER :02
2634:d=6 hl=2 l= 4 prim: INTEGER :3F989B52 2634:d=6 hl=2 l= 4 prim: INTEGER :3F989B52
2640:d=6 hl=2 l= 10 cons: SEQUENCE 2640:d=6 hl=2 l= 10 cons: SEQUENCE
2642:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 2642:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
2652:d=6 hl=2 l= 109 cons: SEQUENCE 2652:d=6 hl=2 l= 109 cons: SEQUENCE
2654:d=7 hl=2 l= 18 cons: SET 2654:d=7 hl=2 l= 18 cons: SET
2656:d=8 hl=2 l= 16 cons: SEQUENCE 2656:d=8 hl=2 l= 16 cons: SEQUENCE
2658:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2658:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2670:d=9 hl=2 l= 2 prim: IA5STRING :ca 2670:d=9 hl=2 l= 2 prim: IA5STRING :ca
2674:d=7 hl=2 l= 25 cons: SET 2674:d=7 hl=2 l= 25 cons: SET
2676:d=8 hl=2 l= 23 cons: SEQUENCE 2676:d=8 hl=2 l= 23 cons: SEQUENCE
2678:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2678:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2690:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 2690:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
2701:d=7 hl=2 l= 60 cons: SET 2701:d=7 hl=2 l= 60 cons: SET
2703:d=8 hl=2 l= 58 cons: SEQUENCE 2703:d=8 hl=2 l= 58 cons: SEQUENCE
2705:d=9 hl=2 l= 3 prim: OBJECT :commonName 2705:d=9 hl=2 l= 3 prim: OBJECT :commonName
2710:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co 2710:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co
2763:d=6 hl=2 l= 30 cons: SEQUENCE 2763:d=6 hl=2 l= 30 cons: SEQUENCE
2765:d=7 hl=2 l= 13 prim: UTCTIME :200225213154Z 2765:d=7 hl=2 l= 13 prim: UTCTIME :200225213154Z
2780:d=7 hl=2 l= 13 prim: UTCTIME :220224213154Z 2780:d=7 hl=2 l= 13 prim: UTCTIME :220224213154Z
2795:d=6 hl=2 l= 83 cons: SEQUENCE 2795:d=6 hl=2 l= 83 cons: SEQUENCE
2797:d=7 hl=2 l= 18 cons: SET 2797:d=7 hl=2 l= 18 cons: SET
2799:d=8 hl=2 l= 16 cons: SEQUENCE 2799:d=8 hl=2 l= 16 cons: SEQUENCE
2801:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2801:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2813:d=9 hl=2 l= 2 prim: IA5STRING :ca 2813:d=9 hl=2 l= 2 prim: IA5STRING :ca
2817:d=7 hl=2 l= 25 cons: SET 2817:d=7 hl=2 l= 25 cons: SET
2819:d=8 hl=2 l= 23 cons: SEQUENCE 2819:d=8 hl=2 l= 23 cons: SEQUENCE
2821:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 2821:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2833:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 2833:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
2844:d=7 hl=2 l= 34 cons: SET 2844:d=7 hl=2 l= 34 cons: SET
2846:d=8 hl=2 l= 32 cons: SEQUENCE 2846:d=8 hl=2 l= 32 cons: SEQUENCE
2848:d=9 hl=2 l= 3 prim: OBJECT :commonName 2848:d=9 hl=2 l= 3 prim: OBJECT :commonName
2853:d=9 hl=2 l= 25 prim: UTF8STRING :fountain-test.example.co 2853:d=9 hl=2 l= 25 prim: UTF8STRING :fountain-test.example.co
2880:d=6 hl=2 l= 89 cons: SEQUENCE 2880:d=6 hl=2 l= 89 cons: SEQUENCE
2882:d=7 hl=2 l= 19 cons: SEQUENCE 2882:d=7 hl=2 l= 19 cons: SEQUENCE
2884:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 2884:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
2893:d=8 hl=2 l= 8 prim: OBJECT :prime256v1 2893:d=8 hl=2 l= 8 prim: OBJECT :prime256v1
2903:d=7 hl=2 l= 66 prim: BIT STRING 2903:d=7 hl=2 l= 66 prim: BIT STRING
2971:d=6 hl=2 l= 42 cons: cont [ 3 ] 2971:d=6 hl=2 l= 42 cons: cont [ 3 ]
2973:d=7 hl=2 l= 40 cons: SEQUENCE 2973:d=7 hl=2 l= 40 cons: SEQUENCE
2975:d=8 hl=2 l= 22 cons: SEQUENCE 2975:d=8 hl=2 l= 22 cons: SEQUENCE
2977:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usag 2977:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usag
2982:d=9 hl=2 l= 1 prim: BOOLEAN :255 2982:d=9 hl=2 l= 1 prim: BOOLEAN :255
2985:d=9 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B0601 2985:d=9 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B0601
2999:d=8 hl=2 l= 14 cons: SEQUENCE 2999:d=8 hl=2 l= 14 cons: SEQUENCE
3001:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 3001:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
3006:d=9 hl=2 l= 1 prim: BOOLEAN :255 3006:d=9 hl=2 l= 1 prim: BOOLEAN :255
3009:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020780 3009:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020780
3015:d=5 hl=2 l= 10 cons: SEQUENCE 3015:d=5 hl=2 l= 10 cons: SEQUENCE
3017:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 3017:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
3027:d=5 hl=2 l= 104 prim: BIT STRING 3027:d=5 hl=2 l= 104 prim: BIT STRING
3133:d=4 hl=4 l= 619 cons: SEQUENCE 3133:d=4 hl=4 l= 619 cons: SEQUENCE
3137:d=5 hl=4 l= 498 cons: SEQUENCE 3137:d=5 hl=4 l= 498 cons: SEQUENCE
3141:d=6 hl=2 l= 3 cons: cont [ 0 ] 3141:d=6 hl=2 l= 3 cons: cont [ 0 ]
3143:d=7 hl=2 l= 1 prim: INTEGER :02 3143:d=7 hl=2 l= 1 prim: INTEGER :02
3146:d=6 hl=2 l= 4 prim: INTEGER :296B0659 3146:d=6 hl=2 l= 4 prim: INTEGER :296B0659
3152:d=6 hl=2 l= 10 cons: SEQUENCE 3152:d=6 hl=2 l= 10 cons: SEQUENCE
3154:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 3154:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
3164:d=6 hl=2 l= 109 cons: SEQUENCE 3164:d=6 hl=2 l= 109 cons: SEQUENCE
3166:d=7 hl=2 l= 18 cons: SET 3166:d=7 hl=2 l= 18 cons: SET
3168:d=8 hl=2 l= 16 cons: SEQUENCE 3168:d=8 hl=2 l= 16 cons: SEQUENCE
3170:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3170:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3182:d=9 hl=2 l= 2 prim: IA5STRING :ca 3182:d=9 hl=2 l= 2 prim: IA5STRING :ca
3186:d=7 hl=2 l= 25 cons: SET 3186:d=7 hl=2 l= 25 cons: SET
3188:d=8 hl=2 l= 23 cons: SEQUENCE 3188:d=8 hl=2 l= 23 cons: SEQUENCE
3190:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3190:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3202:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 3202:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
3213:d=7 hl=2 l= 60 cons: SET 3213:d=7 hl=2 l= 60 cons: SET
3215:d=8 hl=2 l= 58 cons: SEQUENCE 3215:d=8 hl=2 l= 58 cons: SEQUENCE
3217:d=9 hl=2 l= 3 prim: OBJECT :commonName 3217:d=9 hl=2 l= 3 prim: OBJECT :commonName
3222:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co 3222:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co
3275:d=6 hl=2 l= 30 cons: SEQUENCE 3275:d=6 hl=2 l= 30 cons: SEQUENCE
3277:d=7 hl=2 l= 13 prim: UTCTIME :200225213145Z 3277:d=7 hl=2 l= 13 prim: UTCTIME :200225213145Z
3292:d=7 hl=2 l= 13 prim: UTCTIME :220224213145Z 3292:d=7 hl=2 l= 13 prim: UTCTIME :220224213145Z
3307:d=6 hl=2 l= 109 cons: SEQUENCE 3307:d=6 hl=2 l= 109 cons: SEQUENCE
3309:d=7 hl=2 l= 18 cons: SET 3309:d=7 hl=2 l= 18 cons: SET
3311:d=8 hl=2 l= 16 cons: SEQUENCE 3311:d=8 hl=2 l= 16 cons: SEQUENCE
3313:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3313:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3325:d=9 hl=2 l= 2 prim: IA5STRING :ca 3325:d=9 hl=2 l= 2 prim: IA5STRING :ca
3329:d=7 hl=2 l= 25 cons: SET 3329:d=7 hl=2 l= 25 cons: SET
3331:d=8 hl=2 l= 23 cons: SEQUENCE 3331:d=8 hl=2 l= 23 cons: SEQUENCE
3333:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3333:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3345:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 3345:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
3356:d=7 hl=2 l= 60 cons: SET 3356:d=7 hl=2 l= 60 cons: SET
3358:d=8 hl=2 l= 58 cons: SEQUENCE 3358:d=8 hl=2 l= 58 cons: SEQUENCE
3360:d=9 hl=2 l= 3 prim: OBJECT :commonName 3360:d=9 hl=2 l= 3 prim: OBJECT :commonName
3365:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co 3365:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co
3418:d=6 hl=2 l= 118 cons: SEQUENCE 3418:d=6 hl=2 l= 118 cons: SEQUENCE
3420:d=7 hl=2 l= 16 cons: SEQUENCE 3420:d=7 hl=2 l= 16 cons: SEQUENCE
3422:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 3422:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
3431:d=8 hl=2 l= 5 prim: OBJECT :secp384r1 3431:d=8 hl=2 l= 5 prim: OBJECT :secp384r1
3438:d=7 hl=2 l= 98 prim: BIT STRING 3438:d=7 hl=2 l= 98 prim: BIT STRING
3538:d=6 hl=2 l= 99 cons: cont [ 3 ] 3538:d=6 hl=2 l= 99 cons: cont [ 3 ]
3540:d=7 hl=2 l= 97 cons: SEQUENCE 3540:d=7 hl=2 l= 97 cons: SEQUENCE
3542:d=8 hl=2 l= 15 cons: SEQUENCE 3542:d=8 hl=2 l= 15 cons: SEQUENCE
3544:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 3544:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
3549:d=9 hl=2 l= 1 prim: BOOLEAN :255 3549:d=9 hl=2 l= 1 prim: BOOLEAN :255
3552:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 3552:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
3559:d=8 hl=2 l= 14 cons: SEQUENCE 3559:d=8 hl=2 l= 14 cons: SEQUENCE
3561:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 3561:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
3566:d=9 hl=2 l= 1 prim: BOOLEAN :255 3566:d=9 hl=2 l= 1 prim: BOOLEAN :255
3569:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106 3569:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
3575:d=8 hl=2 l= 29 cons: SEQUENCE 3575:d=8 hl=2 l= 29 cons: SEQUENCE
3577:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Ident 3577:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Ident
3582:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B9A5F6CB11 3582:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B9A5F6CB11
3606:d=8 hl=2 l= 31 cons: SEQUENCE 3606:d=8 hl=2 l= 31 cons: SEQUENCE
3608:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Ide 3608:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Ide
3613:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014B9A5F6 3613:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014B9A5F6
3639:d=5 hl=2 l= 10 cons: SEQUENCE 3639:d=5 hl=2 l= 10 cons: SEQUENCE
3641:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 3641:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
3651:d=5 hl=2 l= 103 prim: BIT STRING 3651:d=5 hl=2 l= 103 prim: BIT STRING
3756:d=3 hl=4 l= 331 cons: SET 3756:d=3 hl=4 l= 331 cons: SET
3760:d=4 hl=4 l= 327 cons: SEQUENCE 3760:d=4 hl=4 l= 327 cons: SEQUENCE
3764:d=5 hl=2 l= 1 prim: INTEGER :01 3764:d=5 hl=2 l= 1 prim: INTEGER :01
3767:d=5 hl=2 l= 117 cons: SEQUENCE 3767:d=5 hl=2 l= 117 cons: SEQUENCE
3769:d=6 hl=2 l= 109 cons: SEQUENCE 3769:d=6 hl=2 l= 109 cons: SEQUENCE
3771:d=7 hl=2 l= 18 cons: SET 3771:d=7 hl=2 l= 18 cons: SET
3773:d=8 hl=2 l= 16 cons: SEQUENCE 3773:d=8 hl=2 l= 16 cons: SEQUENCE
3775:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3775:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3787:d=9 hl=2 l= 2 prim: IA5STRING :ca 3787:d=9 hl=2 l= 2 prim: IA5STRING :ca
3791:d=7 hl=2 l= 25 cons: SET 3791:d=7 hl=2 l= 25 cons: SET
3793:d=8 hl=2 l= 23 cons: SEQUENCE 3793:d=8 hl=2 l= 23 cons: SEQUENCE
3795:d=9 hl=2 l= 10 prim: OBJECT :domainComponent 3795:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
3807:d=9 hl=2 l= 9 prim: IA5STRING :sandelman 3807:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
3818:d=7 hl=2 l= 60 cons: SET 3818:d=7 hl=2 l= 60 cons: SET
3820:d=8 hl=2 l= 58 cons: SEQUENCE 3820:d=8 hl=2 l= 58 cons: SEQUENCE
3822:d=9 hl=2 l= 3 prim: OBJECT :commonName 3822:d=9 hl=2 l= 3 prim: OBJECT :commonName
3827:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co 3827:d=9 hl=2 l= 51 prim: UTF8STRING :fountain-test.example.co
3880:d=6 hl=2 l= 4 prim: INTEGER :3F989B52 3880:d=6 hl=2 l= 4 prim: INTEGER :3F989B52
3886:d=5 hl=2 l= 11 cons: SEQUENCE 3886:d=5 hl=2 l= 11 cons: SEQUENCE
3888:d=6 hl=2 l= 9 prim: OBJECT :sha256 3888:d=6 hl=2 l= 9 prim: OBJECT :sha256
3899:d=5 hl=2 l= 105 cons: cont [ 0 ] 3899:d=5 hl=2 l= 105 cons: cont [ 0 ]
3901:d=6 hl=2 l= 24 cons: SEQUENCE 3901:d=6 hl=2 l= 24 cons: SEQUENCE
3903:d=7 hl=2 l= 9 prim: OBJECT :contentType 3903:d=7 hl=2 l= 9 prim: OBJECT :contentType
3914:d=7 hl=2 l= 11 cons: SET 3914:d=7 hl=2 l= 11 cons: SET
3916:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data 3916:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
3927:d=6 hl=2 l= 28 cons: SEQUENCE 3927:d=6 hl=2 l= 28 cons: SEQUENCE
3929:d=7 hl=2 l= 9 prim: OBJECT :signingTime 3929:d=7 hl=2 l= 9 prim: OBJECT :signingTime
3940:d=7 hl=2 l= 15 cons: SET 3940:d=7 hl=2 l= 15 cons: SET
3942:d=8 hl=2 l= 13 prim: UTCTIME :200225230449Z 3942:d=8 hl=2 l= 13 prim: UTCTIME :200225230449Z
3957:d=6 hl=2 l= 47 cons: SEQUENCE 3957:d=6 hl=2 l= 47 cons: SEQUENCE
3959:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 3959:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
3970:d=7 hl=2 l= 34 cons: SET 3970:d=7 hl=2 l= 34 cons: SET
3972:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:3D818C51D6C4B4 3972:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:3D818C51D6C4B4
4006:d=5 hl=2 l= 10 cons: SEQUENCE 4006:d=5 hl=2 l= 10 cons: SEQUENCE
4008:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 4008:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
4018:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30450220589E5D 4018:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30450220589E5D
The JSON contained in the voucher request. Note that the previous The JSON contained in the voucher request. Note that the previous
voucher request is in the prior-signed-voucher-request attribute. voucher request is in the prior-signed-voucher-request attribute.
{"ietf-voucher-request:voucher":{"assertion":"proximity","cr {"ietf-voucher-request:voucher":{"assertion":"proximity","cr
eated-on":"2020-02-25T23:04:49.054Z","serial-number":"00-D0- eated-on":"2020-02-25T23:04:49.054Z","serial-number":"00-D0-
E5-F2-00-02","nonce":"aMjgueKUT-22wVimj6z27Q","prior-signed- E5-F2-00-02","nonce":"aMjgueKUT-22wVimj6z27Q","prior-signed-
voucher-request":"MIIG3wYJKoZIhvcNAQcCoIIG0DCCBswCAQExDTALBg voucher-request":"MIIG3wYJKoZIhvcNAQcCoIIG0DCCBswCAQExDTALBg
lghkgBZQMEAgEwggOJBgkqhkiG9w0BBwGgggN6BIIDdnsiaWV0Zi12b3VjaG lghkgBZQMEAgEwggOJBgkqhkiG9w0BBwGgggN6BIIDdnsiaWV0Zi12b3VjaG
VyLXJlcXVlc3Q6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJwcm94aW1pdHkiLC VyLXJlcXVlc3Q6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJwcm94aW1pdHkiLC
skipping to change at page 119, line 43 skipping to change at page 121, line 43
hkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAy hkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAy
MjUyMzA0NDlaMC8GCSqGSIb3DQEJBDEiBCCJQso4Z9msdaPk3bsDltTkVckX50DvOPuOR9Svi5M9 MjUyMzA0NDlaMC8GCSqGSIb3DQEJBDEiBCCJQso4Z9msdaPk3bsDltTkVckX50DvOPuOR9Svi5M9
RDAKBggqhkjOPQQDAgRHMEUCIQCKESXfM3iV8hpkqcxAKA1veArA6GFpN0jzyns4El8uDgIgSRQi RDAKBggqhkjOPQQDAgRHMEUCIQCKESXfM3iV8hpkqcxAKA1veArA6GFpN0jzyns4El8uDgIgSRQi
9/MntuJhAM/tJCZBkfHBoAGX4PFAwwbs5LFZtAw= 9/MntuJhAM/tJCZBkfHBoAGX4PFAwwbs5LFZtAw=
<CODE ENDS> <CODE ENDS>
The ASN1 decoding of the artifact: The ASN1 decoding of the artifact:
file: examples/voucher_00-D0-E5-F2-00-02.b64 file: examples/voucher_00-D0-E5-F2-00-02.b64
0:d=0 hl=4 l=1735 cons: SEQUENCE 0:d=0 hl=4 l=1735 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=1720 cons: cont [ 0 ] 15:d=1 hl=4 l=1720 cons: cont [ 0 ]
19:d=2 hl=4 l=1716 cons: SEQUENCE 19:d=2 hl=4 l=1716 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01 23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 13 cons: SET 26:d=3 hl=2 l= 13 cons: SET
28:d=4 hl=2 l= 11 cons: SEQUENCE 28:d=4 hl=2 l= 11 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256 30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=3 hl=4 l= 888 cons: SEQUENCE 41:d=3 hl=4 l= 888 cons: SEQUENCE
45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 45:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
56:d=4 hl=4 l= 873 cons: cont [ 0 ] 56:d=4 hl=4 l= 873 cons: cont [ 0 ]
60:d=5 hl=4 l= 869 prim: OCTET STRING :{"ietf-voucher:voucher": 60:d=5 hl=4 l= 869 prim: OCTET STRING :{"ietf-voucher:voucher":
933:d=3 hl=4 l= 483 cons: cont [ 0 ] 933:d=3 hl=4 l= 483 cons: cont [ 0 ]
937:d=4 hl=4 l= 479 cons: SEQUENCE 937:d=4 hl=4 l= 479 cons: SEQUENCE
941:d=5 hl=4 l= 356 cons: SEQUENCE 941:d=5 hl=4 l= 356 cons: SEQUENCE
945:d=6 hl=2 l= 3 cons: cont [ 0 ] 945:d=6 hl=2 l= 3 cons: cont [ 0 ]
947:d=7 hl=2 l= 1 prim: INTEGER :02 947:d=7 hl=2 l= 1 prim: INTEGER :02
950:d=6 hl=2 l= 4 prim: INTEGER :1B995F54 950:d=6 hl=2 l= 4 prim: INTEGER :1B995F54
956:d=6 hl=2 l= 10 cons: SEQUENCE 956:d=6 hl=2 l= 10 cons: SEQUENCE
958:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 958:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
968:d=6 hl=2 l= 93 cons: SEQUENCE 968:d=6 hl=2 l= 93 cons: SEQUENCE
970:d=7 hl=2 l= 15 cons: SET 970:d=7 hl=2 l= 15 cons: SET
972:d=8 hl=2 l= 13 cons: SEQUENCE 972:d=8 hl=2 l= 13 cons: SEQUENCE
974:d=9 hl=2 l= 3 prim: OBJECT :countryName 974:d=9 hl=2 l= 3 prim: OBJECT :countryName
979:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada 979:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada
987:d=7 hl=2 l= 16 cons: SET 987:d=7 hl=2 l= 16 cons: SET
989:d=8 hl=2 l= 14 cons: SEQUENCE 989:d=8 hl=2 l= 14 cons: SEQUENCE
991:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 991:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
996:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario 996:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario
1005:d=7 hl=2 l= 18 cons: SET 1005:d=7 hl=2 l= 18 cons: SET
1007:d=8 hl=2 l= 16 cons: SEQUENCE 1007:d=8 hl=2 l= 16 cons: SEQUENCE
1009:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 1009:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1014:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman 1014:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman
1025:d=7 hl=2 l= 36 cons: SET 1025:d=7 hl=2 l= 36 cons: SET
1027:d=8 hl=2 l= 34 cons: SEQUENCE 1027:d=8 hl=2 l= 34 cons: SEQUENCE
1029:d=9 hl=2 l= 3 prim: OBJECT :commonName 1029:d=9 hl=2 l= 3 prim: OBJECT :commonName
1034:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com 1034:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com
1063:d=6 hl=2 l= 30 cons: SEQUENCE 1063:d=6 hl=2 l= 30 cons: SEQUENCE
1065:d=7 hl=2 l= 13 prim: UTCTIME :190212222241Z 1065:d=7 hl=2 l= 13 prim: UTCTIME :190212222241Z
1080:d=7 hl=2 l= 13 prim: UTCTIME :210211222241Z 1080:d=7 hl=2 l= 13 prim: UTCTIME :210211222241Z
1095:d=6 hl=2 l= 95 cons: SEQUENCE 1095:d=6 hl=2 l= 95 cons: SEQUENCE
1097:d=7 hl=2 l= 15 cons: SET 1097:d=7 hl=2 l= 15 cons: SET
1099:d=8 hl=2 l= 13 cons: SEQUENCE 1099:d=8 hl=2 l= 13 cons: SEQUENCE
1101:d=9 hl=2 l= 3 prim: OBJECT :countryName 1101:d=9 hl=2 l= 3 prim: OBJECT :countryName
1106:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada 1106:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada
1114:d=7 hl=2 l= 16 cons: SET 1114:d=7 hl=2 l= 16 cons: SET
1116:d=8 hl=2 l= 14 cons: SEQUENCE 1116:d=8 hl=2 l= 14 cons: SEQUENCE
1118:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 1118:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
1123:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario 1123:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario
1132:d=7 hl=2 l= 18 cons: SET 1132:d=7 hl=2 l= 18 cons: SET
1134:d=8 hl=2 l= 16 cons: SEQUENCE 1134:d=8 hl=2 l= 16 cons: SEQUENCE
1136:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 1136:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1141:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman 1141:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman
1152:d=7 hl=2 l= 38 cons: SET 1152:d=7 hl=2 l= 38 cons: SET
1154:d=8 hl=2 l= 36 cons: SEQUENCE 1154:d=8 hl=2 l= 36 cons: SEQUENCE
1156:d=9 hl=2 l= 3 prim: OBJECT :commonName 1156:d=9 hl=2 l= 3 prim: OBJECT :commonName
1161:d=9 hl=2 l= 29 prim: UTF8STRING :highway-test.example.com 1161:d=9 hl=2 l= 29 prim: UTF8STRING :highway-test.example.com
1192:d=6 hl=2 l= 89 cons: SEQUENCE 1192:d=6 hl=2 l= 89 cons: SEQUENCE
1194:d=7 hl=2 l= 19 cons: SEQUENCE 1194:d=7 hl=2 l= 19 cons: SEQUENCE
1196:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 1196:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
1205:d=8 hl=2 l= 8 prim: OBJECT :prime256v1 1205:d=8 hl=2 l= 8 prim: OBJECT :prime256v1
1215:d=7 hl=2 l= 66 prim: BIT STRING 1215:d=7 hl=2 l= 66 prim: BIT STRING
1283:d=6 hl=2 l= 16 cons: cont [ 3 ] 1283:d=6 hl=2 l= 16 cons: cont [ 3 ]
1285:d=7 hl=2 l= 14 cons: SEQUENCE 1285:d=7 hl=2 l= 14 cons: SEQUENCE
1287:d=8 hl=2 l= 12 cons: SEQUENCE 1287:d=8 hl=2 l= 12 cons: SEQUENCE
1289:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 1289:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1294:d=9 hl=2 l= 1 prim: BOOLEAN :255 1294:d=9 hl=2 l= 1 prim: BOOLEAN :255
1297:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 1297:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
1301:d=5 hl=2 l= 10 cons: SEQUENCE 1301:d=5 hl=2 l= 10 cons: SEQUENCE
1303:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 1303:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
1313:d=5 hl=2 l= 105 prim: BIT STRING 1313:d=5 hl=2 l= 105 prim: BIT STRING
1420:d=3 hl=4 l= 315 cons: SET 1420:d=3 hl=4 l= 315 cons: SET
1424:d=4 hl=4 l= 311 cons: SEQUENCE 1424:d=4 hl=4 l= 311 cons: SEQUENCE
1428:d=5 hl=2 l= 1 prim: INTEGER :01 1428:d=5 hl=2 l= 1 prim: INTEGER :01
1431:d=5 hl=2 l= 101 cons: SEQUENCE 1431:d=5 hl=2 l= 101 cons: SEQUENCE
1433:d=6 hl=2 l= 93 cons: SEQUENCE 1433:d=6 hl=2 l= 93 cons: SEQUENCE
1435:d=7 hl=2 l= 15 cons: SET 1435:d=7 hl=2 l= 15 cons: SET
1437:d=8 hl=2 l= 13 cons: SEQUENCE 1437:d=8 hl=2 l= 13 cons: SEQUENCE
1439:d=9 hl=2 l= 3 prim: OBJECT :countryName 1439:d=9 hl=2 l= 3 prim: OBJECT :countryName
1444:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada 1444:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Canada
1452:d=7 hl=2 l= 16 cons: SET 1452:d=7 hl=2 l= 16 cons: SET
1454:d=8 hl=2 l= 14 cons: SEQUENCE 1454:d=8 hl=2 l= 14 cons: SEQUENCE
1456:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 1456:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
1461:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario 1461:d=9 hl=2 l= 7 prim: UTF8STRING :Ontario
1470:d=7 hl=2 l= 18 cons: SET 1470:d=7 hl=2 l= 18 cons: SET
1472:d=8 hl=2 l= 16 cons: SEQUENCE 1472:d=8 hl=2 l= 16 cons: SEQUENCE
1474:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 1474:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1479:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman 1479:d=9 hl=2 l= 9 prim: UTF8STRING :Sandelman
1490:d=7 hl=2 l= 36 cons: SET 1490:d=7 hl=2 l= 36 cons: SET
1492:d=8 hl=2 l= 34 cons: SEQUENCE 1492:d=8 hl=2 l= 34 cons: SEQUENCE
1494:d=9 hl=2 l= 3 prim: OBJECT :commonName 1494:d=9 hl=2 l= 3 prim: OBJECT :commonName
1499:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com 1499:d=9 hl=2 l= 27 prim: UTF8STRING :highway-test.example.com
1528:d=6 hl=2 l= 4 prim: INTEGER :1B995F54 1528:d=6 hl=2 l= 4 prim: INTEGER :1B995F54
1534:d=5 hl=2 l= 11 cons: SEQUENCE 1534:d=5 hl=2 l= 11 cons: SEQUENCE
1536:d=6 hl=2 l= 9 prim: OBJECT :sha256 1536:d=6 hl=2 l= 9 prim: OBJECT :sha256
1547:d=5 hl=2 l= 105 cons: cont [ 0 ] 1547:d=5 hl=2 l= 105 cons: cont [ 0 ]
1549:d=6 hl=2 l= 24 cons: SEQUENCE 1549:d=6 hl=2 l= 24 cons: SEQUENCE
1551:d=7 hl=2 l= 9 prim: OBJECT :contentType 1551:d=7 hl=2 l= 9 prim: OBJECT :contentType
1562:d=7 hl=2 l= 11 cons: SET 1562:d=7 hl=2 l= 11 cons: SET
1564:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data 1564:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
1575:d=6 hl=2 l= 28 cons: SEQUENCE 1575:d=6 hl=2 l= 28 cons: SEQUENCE
1577:d=7 hl=2 l= 9 prim: OBJECT :signingTime 1577:d=7 hl=2 l= 9 prim: OBJECT :signingTime
1588:d=7 hl=2 l= 15 cons: SET 1588:d=7 hl=2 l= 15 cons: SET
1590:d=8 hl=2 l= 13 prim: UTCTIME :200225230449Z 1590:d=8 hl=2 l= 13 prim: UTCTIME :200225230449Z
1605:d=6 hl=2 l= 47 cons: SEQUENCE 1605:d=6 hl=2 l= 47 cons: SEQUENCE
1607:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 1607:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
1618:d=7 hl=2 l= 34 cons: SET 1618:d=7 hl=2 l= 34 cons: SET
1620:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:8942CA3867D9AC 1620:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:8942CA3867D9AC
1654:d=5 hl=2 l= 10 cons: SEQUENCE 1654:d=5 hl=2 l= 10 cons: SEQUENCE
1656:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256 1656:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
1666:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30450221008A11 1666:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30450221008A11
Appendix D. Additional References Appendix D. Additional References
RFC EDITOR Please remove this section before publication. It exists RFC EDITOR Please remove this section before publication. It exists
just to include references to the things in the YANG descriptions just to include references to the things in the YANG descriptions
which are not otherwise referenced in the text so that xml2rfc will which are not otherwise referenced in the text so that xml2rfc will
not complain. not complain.
[ITU.X690.1994] [ITU.X690.1994]
 End of changes. 30 change blocks. 
488 lines changed or deleted 496 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/