Esko Dijk <esko.d...@iotconsultancy.nl> wrote:
> Currently BRSKI Section 5.5.4 has this text:
doc> The MASA MUST verify that the registrar voucher-request is signed by a
registrar
> If the Registrar would use a non-RA certificate e.g. ACME (LE) standard
> EE certificate, then it seems that it cannot get anything from MASA...?
> And BRSKI would not work?
I agree that there are potential issues here.
1) I think that the MASA may skip that check for recognized registrars, so
that the ACME integration work can work. This would be a local
configuration.
2) It may be that draft-ietf-acme-integrations and/or
draft-friel-acme-subdomains may need to specify a way to ask for cmcRA to
be set within ACME, when using ACME when doing the pre-authorization for
"domain.com"
cf: NOTE: Pre-Authorization of "domain.com" is complete
The ACME spec does support authorizations for domains, and maybe that
would be the best way to do this.
This also supports the concept that the cmcRA bit ought to apply to all RA
operations (CMP and well as EST), as proposed in LAMPS.
I think that we should perhaps plan a design team meeting/BOF around this
discussion.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
