Section 10.2 needs some clarification. First, as the last paragraph points out, an enrollment server is not the only way to get a configuration document.
Secondly, as is buried in the middle paragraph, the DNS lookup is done when a URL is not provided. The intent was to allow as much flexibility as possible while still providing a standard way of locating configuration information. However, you're right that the section is really unclear. Bruce On Mon, Dec 21, 2009 at 3:53 AM, Frederic-Philippe Metz <[email protected]> wrote: > Hi all, > > within the context of a centralized enrollement, I have some questions > abut rules and functionalities: > > Section 3.6.1. figures out that for first time setup, the user queries > DNS on the overlay name and gets the address of a configuration > server. The configuration server in then contacted and a configuration > document is provided to the user, having the content of a bootstrap > node and an enrollment server. The configuration document is described > in section 10.1. > > Correct so far ? > > But the user needs a certificate first. So Section 3.6.2 says that the > user performs a connection to the enrollment server (with username/pw) > to obtain a certificate (with node-id, etc.). > > Correct so far ? > > In conflict to that, section 10.2. states that the adress of the > enrollment server is found with a DNS query, not with the content of a > configuration document and, furthermore, the configuration document is > downloaded from enrollment server and the certificate, according to > section 10.3, is assigned by an credential-server. > > Please help me clarifying this conflict. > > From my understanding by now, there is: > > 1. initially one server providing a configuration document, including > the bootstrap-nodes (and some other things for joining the overlay). > The address is resolved by querying the overlay name. > 2. The user then queries the service name p2psip_enroll and get the > address of an Enrollment server. The user performs a connection to get > a certificate (with node-id etc.). This certificate is assigned by the > enrollment server. > 3. The user then joins the overlay with the given certificate. > > But this lacks some understanding of a credential-server and/or Rules > on the other elements/servers/functionalities. > > Regards, > frederic > _______________________________________________ > P2PSIP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/p2psip > _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
