> I believe that we concur on the uses. > I'm not sure if you are saying the CA:TRUE is a requirement. > I do not want to mandate that. CA:TRUE is, of course, acceptable.
The current BRSKI text to me suggests that CA:TRUE is a requirement for the pinned-domain-cert. But I'm okay with not having CA:TRUE for this certificate, as you propose, in which case I think the BRSKI text needs some minor updates on the wording. For example, if it's just a Registrar cert with CA:FALSE and RA:TRUE then it shouldn't be called a "domain CA" cert or "domain cert". If the Registrar is not a CA, it does need to be a Registration Authority (RA). (See Section 2.5.3 / 2.5.5 / 5.5.4 / https://tools.ietf.org/html/rfc6402#section-2.10 ) So the requirement for the pinned cert is that it is either RA or CA. (Both seems also possible to encode in the cert, although that seems equivalent to a CA.) Esko -----Original Message----- From: Michael Richardson <mcr+i...@sandelman.ca> Sent: Wednesday, April 1, 2020 21:46 To: Esko Dijk <esko.d...@iotconsultancy.nl> Cc: Benjamin Kaduk <ka...@mit.edu>; anima@ietf.org Subject: Re: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-39: (with DISCUSS and COMMENT) Esko Dijk <esko.d...@iotconsultancy.nl> wrote: > Based on the discussion, trying to list some practical cases we can > have of the pinned-domain-cert: I believe that we concur on the uses. I'm not sure if you are saying the CA:TRUE is a requirement. I do not want to mandate that. CA:TRUE is, of course, acceptable. I think that today's revised text supports all of your use cases. If you find some fell out of bounds, then it's a mistake. > In the latter case, the self-signed limited-scope root CA will > typically be used as the pinned-domain-cert. And the EST server will > create certificates signed by this same root CA. I believe that by number of Registrar's the self-signed private CA will be the most common. It is what I have suggested in draft-richardson-anima-registrar-operations. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima