From 179f02e30d765c6f1a734e3cfe48b8664a915422 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 16 Sep 2024 17:23:53 -0400 Subject: [PATCH] added reference to Sandoche paper; but not sure where to reference it --- draft-ietf-dance-architecture.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/draft-ietf-dance-architecture.md b/draft-ietf-dance-architecture.md index 3768cfa..fbc5fc5 100644 --- a/draft-ietf-dance-architecture.md +++ b/draft-ietf-dance-architecture.md @@ -35,6 +35,8 @@ author: normative: informative: + pkiiot: DOI.10.1109/PKIA56009.2022.9952253 + slowloris: target: "https://en.wikipedia.org/wiki/Slowloris_(computer_security)" title: "Slowloris Attack" @@ -98,6 +100,7 @@ A first-class identity is an application-independent identity. **Identity provisioning:** This refers to the set of tasks required to securely provision an asymmetric key pair for the device, sign the certificate (if the public credential is not simply a raw public key), and publish the public key or certificate in DNS. Under some circumstances, these steps are not all performed by the same party or organization. A device manufacturer may instantiate the key pair, and a systems integrator may be responsible for issuing (and publishing) the device certificate in DNS. + In some circumstances, a manufacturer may also publish device identity records in DNS. In this case, the system integrator needs to perform network and application access configuration, since the identity already exists in DNS. A user may instantiate a key pair, based upon which an organization's CA may produce a certificate after internally assuring the user identity, and the systems integrator may publish the CA root certificate in DNS.