[strongSwan] ipsec attest adding aik at attestation server

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 11 22:56:01 CEST 2014 

Hi Avesh,

because remote attestation is now fully managed by the strongTNC
policy manager (TPMRA workitem), the separate AIK keys table has
been replaced by the trusted flag in the devices table. You can
now configure your IMC to use the AIK public key fingerprint as
the device ID. For detailed information please consult my IMA HOWTO:

  http://wiki.strongswan.org/projects/strongswan/wiki/IMA

Currently the trusted flag can only be set by using the strongTNC
GUI or by a raw SQL UPDATE statement. But for the 5.2.0 release
I intend to update the ipsec attest command by merging the AIK key
and device ID concept and allowing trust to be explicitly set by
the attest command.

With the the aikgen tool it is now also possible generate an AIK
certificate signed by an in-house corporate CA so that trust could
alternatively be established through the X.509 trust chain. In that
case it would not be necessary to set the trusted flag on the
hardware device ID.

I apologize for the drastic changes but I think for remote
attestation the concept of a third party Privacy CA has not been
an ideal approach.

Best regards

Andreas

On 11.06.2014 18:25, Avesh Agarwal wrote:
> Hi,
>
> With the latest strongswan, when I try to add aik at attestation server
> by using folloiwng command,
>
> ipsec attest --add --owner <owner_name> --aik aikcert.der --cid 3
>
> it fails with th error that key could not be inserted. The same command
> works in older version like 5.1.3.
>
> Even after going through the code, I am not sure what is the replacement
> command for this, any help is appreciated?
>
> Thanks and Regards
> Avesh
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140611/cb1bb2bd/attachment.bin>

More information about the Users mailing list