Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote: > I don't think that the IETF hasn't defined any CA/Registrar protocols, > other than the BRSKI drafts.
I'm curious about what part of RFC8995 makes you think that there is a CA/Registrar protocol included... we would have liked to do this, but we haven't. > It "used to be" that almost every CA that wanted to issue certificates > for enterprise customers had its own variety of Registrar > integration. You couldn't walk down any of the aisles of the RSA > conference and not bump into one. They were all custom, private. A > subset had protocols or API's that let you plug your enterprise > identity system (e.g., ActiveDirectory) into their provisioning > system. I don't know if that kind of thing is still popular. Yes, that's my experience as well. That's why getting all the right stuff into the CSR is so important. > As for your earlier question, could a certificate end up having things > that weren't in the CSR? Yes. Often or always. The obvious ones are > issuer, validity period; sometimes keyUsage and extendedKeyUsage, the and often policy OIDs and SCTs and ... It's often this bloat that becomes really annoying when running protocols on challenged networks. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima