section 6.1.5 says: When BRSKI (see [I-D.ietf-anima-bootstrapping-keyinfra]) is used, the IPv6 locator of the BRSKI registrar from the BRSKI TLS connection SHOULD be remembered and used for the next renewal via EST if that registrar also announces itself as an EST server via GRASP (see next section) on its ACP address.
The BRSKI TLS connection is proxied through a join proxy. The pledge (new node) never knows what the IPv6 locator of the BRSKI registrar is. I suggest removing this paragraph, the node should listen for the EST GRASP announcement. 6.1.5.3 mandates use of CRLs rather than OCSP. I'm okay with that, but I wanted to make sure the WG understood. OCSP might require a node to be on the ACP before it could get get on the ACP. CRLs could be cached for extended periods of time. We might consider adding a CRL retrieval step to BRSKI, after the cacerts are retrieved. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
