Kent Watsen <[email protected]> wrote: > Skimming quickly, I see now the direction to go to a cloud registrar to > be redirected to a local registrar. I feel compelled to point out that > this is exactly what SZTP (RFC 8572) does, or at least, supports. > Actually, as a more general statement, it was originally said that the > two WG's approaches were different, but they are now becoming more and > more alike. Well, since SZTP is published already, it's more like the > ANIMA approach is becoming more like SZTP, albeit seemingly with more > complexity.
SZTP does not directly result in the same mutually authenticated TLS (EST) connection to a Registrar that BRSKI does. This was not an explicit SZTP goal. What it could do though, is to provide a source of (secure) bootstrap configuration in which such a connection could be initiated. In my mind, I see a fragment of signed JUNOS, IOS (CISCO, not Apple), etc. CLI configuration that initiates the connection. Such a thing would not be standardized. But, I would think that this is exactly the kind of thing that could be encoded in YANG. My understanding of https://tools.ietf.org/html/draft-ietf-netconf-keystore is that it would provided for Registrar initiated (PUSH) updating of device certificates, but would not provide a way for a device to initiate (PULL) to a securely identified EST server. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
