Eliot Lear <[email protected]> wrote: >> On 18 Mar 2021, at 19:58, Michael Richardson <[email protected]> wrote: >> >> A pity that EST (and I think SCEP, but I haven't read it all), just returns >> the resulting certificate, and not something more useful, like a JSON dict >> that includes the certificate. >> >> RFC7030 has a 202, Retry-After, which could be used to tell the holder to >> go away and come back later, but the intended use is not to say not now, >> but rather, "I'm working on it".
> This is definitely a problem in a number of deployments. One aspect
> that people have to deal with is not so much the gross expiry time, but
> when it is convenient to take a risk of moving to a new cert. Of
> course you’re going to want to make that operation as bullet-proof as
> possible, but in some environments they want multiple levels of
> resilience. So scheduling does become an issue.
> The big question is- who does the scheduling? Is it the end system?
> Is it the EST server? Who knows when “convenient” is? Probably the
> answer is “both”.
It has to be a three phase commit, and it needs to be initiated from the EST
server.
1) send out new identities and trust anchors, but continue to initiate with
old ones.
2) do a fire drill with new identities, testing responders
3) switch to new identities, mark old identities to be removed
I really like the netconf solution.
I think that putting the EST server in charge of collecting new CSRs, and
delivering new certificates is the right way. I argued for this back when we
were doing 6tisch-minimal-security: on a challenged network, a stampeding
herd of elephants is very undesireable.
I would like brski-async-enroll to consider
https://datatracker.ietf.org/doc/draft-ietf-netconf-sztp-csr/?include_text=1
as being the collection protocol between registrar agent and pledge.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
