On 11-Mar-20 01:20, Michael Richardson wrote: > > section 6.1.5 says: > > When BRSKI (see > [I-D.ietf-anima-bootstrapping-keyinfra]) is used, the IPv6 locator of > the BRSKI registrar from the BRSKI TLS connection SHOULD be > remembered and used for the next renewal via EST if that registrar > also announces itself as an EST server via GRASP (see next section) > on its ACP address. > > The BRSKI TLS connection is proxied through a join proxy. > The pledge (new node) never knows what the IPv6 locator of the BRSKI > registrar is.
Right, and unless I'm mistaken that remains true even if the registrar is on the same layer 2 link as the pladge; the node containing the registrar also contains a proxy. Pledges don't need a special case for this situation. Brian > I suggest removing this paragraph, the node should listen for the EST GRASP > announcement. > > > 6.1.5.3 mandates use of CRLs rather than OCSP. > I'm okay with that, but I wanted to make sure the WG understood. > OCSP might require a node to be on the ACP before it could get get on the > ACP. CRLs could be cached for extended periods of time. > > We might consider adding a CRL retrieval step to BRSKI, after the cacerts are > retrieved. > > > -- > Michael Richardson <[email protected]>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > > _______________________________________________ > Anima mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima > _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
