register - command to register set-top-box identity with signer
SYNOPSIS
mux/register
[
signer
]
DESCRIPTION
Register
is intended for use on a set top box (or similar device).
It connects to
signer,
a machine configured to sign certificates,
and obtains an authenticated certificate based on the contents of
/nvfs/ID
(the set top box ID in non-volatile memory).
The certificate is saved in the file
/nvfs/default
for later use.
If no
signer
is named explicitly, the
$SIGNER
named in
db(6)
is used instead.
There are several phases to obtaining the certificate.
1.
The register command interacts with
signer(8)
on the signing host
to construct the certificate. This certificate is `blinded' by a random bit mask, sent back to
register
which displays it in textual or graphical form to
the user.
2.
The user running
register
must use an independent,
secure mechanism (for example, an untapped telephone call)
to communicate with a human agent at the
site acting as
signer.
That agent runs
verify
(see
signer(8))
to display the same `blinded' certificate that was
shown to
register's
user at the client.
Once the agent is convinced that the `blinded' certificate has been delivered to the correct party, the agent tells
verify
to accept the identity of the caller.
3.
Register
then connects to the
countersigner
process (see
signer(8))
to obtain the bitmask needed to `unblind' the previously received certificate.
This step can only validly be performed after the successful
completion of
verify
on the
signer.