<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 4, 2020 at 2:21 PM Michael Richardson <<a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Richard Hanley <<a href="mailto:rhanley@google.com" target="_blank">rhanley@google.com</a>> wrote:<br>
> 3) Finally we need to<br>
> support revocations lists. AFIAK, there is no support for this today.<br>
<br>
What are the certificates you speak of for?<br>
If you are talking about HTTPs end-point certificates for bmcweb, then there<br>
is nothing to do for CRLs, because CRLs aren't a function of the HTTPS<br>
End-Entity certificate you are worried about.<br>
<br>
They are provided by the CA, and it's a problem of the HTTP browser to<br>
validate.<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
So I don't understand your CRL point.<br>
<br></blockquote><div><br></div><div>I think that CRL becomes more of an issue when communication is mutually authenticated. If a client is given a certificate from the CA, then there should be a way for that client's cert to be revoked on a BMC. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> Finally, I'm expecting we will need an out of band mechanism to talk<br>
> with hardware root of trust (e.g. OpenTitan <a href="https://opentitan.org/" rel="noreferrer" target="_blank">https://opentitan.org/</a>).<br>
<br>
Possibly.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | IoT architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
<br>
</blockquote></div></div>