Jim Schaad <[email protected]> wrote: > The question I was asking was more about the original enrollment rather > than renewal although it could come into question there as well.
> - I have the implicit trust anchors and get a EST server URL.
> - Call /cacerts
> - I now have the explicit trust anchors but potentially have the same EST
> server URL.
> - Given that I have a NEW trust anchor, what do I do with the current DTLS
> session?
> - I now do an enrollment with the EST server to get a certificate.
> One can say it is fine to use the implicit TA for that enrollment, but one
> could also say that as the certificate chain is now different then the
> DTLS session should be released and a new one established.
I think that the purpose of calling /cacerts is to get context for living
within the network. I think that one continues with enrollment with the
same connection. Restarting it might not actually work.
The resulting certificate should validate with the set of trust anchors
provided, and the anchors should let the client validate other clients.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
