On 2020-12-21 5:54 a.m., Deb Cooley wrote:
I don't post often, so go easy. And I've not read up on the current
state of BRSKI or MASA. This response is based only on the original post.
The BRSKI Registrar is expected, like all RFC7030 Registrars, to have
the cmcRA bit set.
The conclusion is that we can't do this with an ACME deployed certificate.
*BRSKI* is however, happy with a private PKI, and over in
draft-ietf-anima-constrained-voucher, we concluded that had better
explicitely say that it's okay to have CA=True, and cmcRA set. I.e. a
self-signed key is fine, and it's okay if such a thing nominates itself
as an RA.
(It is to be discouraged, and we intend to write that, but it is acceptable)
It is unfortunate that a Registrar that will be speaking ACME on it's
"northbound" interface, can't itself use an ACME acquired certificate.
Now, how can we get the draft-ietf-acme-integrations document unstuck?
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
