On Thu, Mar 18, 2021 at 08:22:44PM +0100, Eliot Lear wrote: > > On 18 Mar 2021, at 19:58, Michael Richardson <[email protected]> wrote: > > A pity that EST (and I think SCEP, but I haven't read it all), just returns > > the resulting certificate, and not something more useful, like a JSON dict > > that includes the certificate. > > > > RFC7030 has a 202, Retry-After, which could be used to tell the holder to > > go away and come back later, but the intended use is not to say not now, > > but rather, "I'm working on it". > > This is definitely a problem in a number of deployments. One aspect > that people have to deal with is not so much the gross expiry time, > but when it is convenient to take a risk of moving to a new cert. Of > course you’re going to want to make that operation as bullet-proof as > possible, but in some environments they want multiple levels of > resilience. So scheduling does become an issue.
Can you elaborate on this? Is the issue validation path construction in complex PKIs? Nico -- _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
