Esko Dijk <[email protected]> wrote: > The new text looks good now. I was still wondering about the pg 12 > requirement in RFC 8366 ; which amounts to:
> The [domain certificate supplied to the pledge separately by the
> bootstrapping protocol] MUST have [pinned-domain-cert] somewhere in its
> chain of certificates.
> It looks like the "domain certificate" here is then not meant as (1)
> the EE certificate that the EST server will hand to the Pledge later on
> (as I thought), but rather (2) the Registrar's certificate that is
> supplied to the Pledge in the initial handshake.
Can you explain "later on" here?
The Registrar's TLS Server Certificate could be a different PKI hierarchy
than the resulting PKI.
> If one interprets it like (1) then BRSKI may violate the requirement;
> if one interprets it to be (2) then all is fine.
> A few remaining nits found during reading:
Thanks. I have updated my copy of the XML, and I'll pass this on to the
RFC-editor.
Nothing is going forward until the ACP LC ends and the IESG does it's reviews.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
