Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote:
> I don't think that the IETF hasn't defined any CA/Registrar protocols,
> other than the BRSKI drafts.
I'm curious about what part of RFC8995 makes you think that there is a
CA/Registrar protocol included... we would have liked to do this, but we
haven't.
> It "used to be" that almost every CA that wanted to issue certificates
> for enterprise customers had its own variety of Registrar
> integration. You couldn't walk down any of the aisles of the RSA
> conference and not bump into one. They were all custom, private. A
> subset had protocols or API's that let you plug your enterprise
> identity system (e.g., ActiveDirectory) into their provisioning
> system. I don't know if that kind of thing is still popular.
Yes, that's my experience as well.
That's why getting all the right stuff into the CSR is so important.
> As for your earlier question, could a certificate end up having things
> that weren't in the CSR? Yes. Often or always. The obvious ones are
> issuer, validity period; sometimes keyUsage and extendedKeyUsage, the
and often policy OIDs and SCTs and ...
It's often this bloat that becomes really annoying when running protocols on
challenged networks.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
