Revisiting the constrained BRSKI discovery details, i stumbled across a generic discovery issue for which i would like to solicit opinions.
Please also add your thoughts about this to: https://github.com/anima-wg/brski-discovery/issues/4 (but discuss here first). Question: How do we want to deal with certificate renewal/re-keying ? Do we assume by default that any discovered BRSKI (variation) proxy/registar is capable to do renewal ? Technically this would not require new REST endpoints with EST, but i am not sure this is true across all alternative enrollment protocols. Is renewal working with PRM without changes ? (If so we should write this). When writing RFC8994, we did consider that not all existing EST servers would necessarily support BRSKI, and therefore instead of using AN_join_registrar, renewal was recommend to use SRV.est objective. We did not define an equvalent proxy objective though, because already enrolled pledges would not need to use a proxy but could always connect directly to a registrar. Do we ever need renewal to go through a proxy ? Thanks Toerless _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
