> Kent Watsen <kent+i...@watsen.net> wrote: >> True, but it seems that getting a domain certificate and getting an >> initial configuration are at least two distinct steps in ANIMA, whereas >> they're rolled into one step with SZTP. > > I'm missing where SZTP gets a domain certificate in a standard way. > > I totally see how it gets initial configuration though. > I also see how that initial configuration can be caused to do an enrollment, > by leveraging some specific, vendor-specific, configuration command.
I think your understanding is complete. There isn't a single "domain certificate". Instead, there are: 1) certificates pledges use during bootstrap process, which may be: a) used to authenticate bootstrap servers. These certificates are learned via SZTP "redirect information" or b) used to authenticate owner-certificates. These certificates are learned via the ownership voucher (RFC 8366). 2) certificates pledges use to authenticate subsequent (e.g., management) connections. These certificates may be configured, e.g., via the keystore and truststore models over NETCONF, RESTCONF, or COAP. So, rather than a single certificate or a single protocol, there's a collection of each, yet all defined (once all is published) via standards (not vendor-specific, configuration commands). Makes sense? Kent
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
