Skip to main content

2. Bootstrap Key

The mechanism relies on an EC BSK. The BSK MUST come from a cryptosystem suitable for ECDSA. The BSK public key MUST be encoded as the DER representation of an ASN.1 SEQUENCE SubjectPublicKeyInfo from RFC 5480. The subjectPublicKey MUST be the compressed format of the public key, and the encoding MUST include both AlgorithmIdentifier and subjectPublicKey.

The TLS server may learn the BSK public key by scanning a QR code that contains a base64 DER SubjectPublicKeyInfo, by importing a Bill of Materials, or by another trusted out-of-band mechanism. The BSK public key MUST NOT be freely available on the network.

2.1. Alignment with DPP

The BSK public-key definition aligns with Wi-Fi Alliance Device Provisioning Profile (DPP). A device that supports both wired LAN and Wi-Fi can use one QR code for DPP on Wi-Fi and TLS-POK on wired networks. DPP, and therefore TLS-POK, does not support RSA or postquantum systems because their public keys are too large for the QR-code model.