-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/14/2012 02:44 PM, Dean Willis wrote: > > On Nov 9, 2012, at 10:37 AM, Dean Willis wrote: > >> AD asks: >> >> How is node key rollover done? Do I loose all stored data? I think you >> need to make all those clear. >> >> >> >> So, what I think we're talking about is what happens to my data when my >> certificate expires. >> >> Does my NodeID change? >> >> Is there a way to re-cert my stored data? >> >> What exactly is the process for refreshing the data I have stored? >> >> -- Dean >> > > > I met with Cullen and EKR today, and here's what I think we have: > > If the NodeID cert expires, you lose all data stored with that NodeID. If > we want to invent a "recertification" technique (Marc suggested that the CA > can issue a new cert with the same NodeID) we can do that in a separate > document. > > We will need to add a clarifying sentence to the draft. >
My suggestion was not about "recertification" - I think that the current mechanism, which is to resend the data signed with the new certificate is OK for now. What I was talking about is the unfinished discussion from Vancouver, on how to renew a certificate so the Node-ID(s) previously allocated do not change when the certificate is renewed. The spec currently uses a server side mechanism to "remember" the Node-IDs (which can be storage based or, as EKR suggested in Vancouver, hash based). The problem I see with this is the requirement that there is only one certificate per account, which can make things difficult for example if a user has multiple devices (with a device possibly hosting multiple nodes) but only one account. The user can request a multiple Node-ID certificate, but has to find a way to know which Node-ID(s) goes into which devices. My proposal was to use the previous certificate instead of the CSR when requesting a renewal. Because requesting a certificate with a CSR would return a different set of Node-IDs each time, a single account can be used on multiple devices. IMO that makes things easier for the client (can manage multiple devices from the same account) and for the server (no need to "remember" anything). - -- Marc Petit-Huguenin Email: [email protected] Blog: http://blog.marc.petit-huguenin.org Profile: http://www.linkedin.com/in/petithug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQv3TZAAoJECnERZXWan7EvKQP/Rku7EgsBa1eqt+HVY/Pda0c 9+IWpvkcsP8c/78TzKMBLBlcnSWMxOLAFODTGJdItr1y+SriQgtY3KWf+kUksDi8 7WRvGHlez6QpXth1VvZZf2XKXKhIqtSezAXw8S7Q+uqaBMOST+GKgeIflqqxp1HU t61SJBDYbJSL6nbb8F9rVT/D2Mg++LVFmp75tCJQWesnSmbzAY8w5mAJZz5zERiK DiHBBm4+KDgjra+cLqv7WWOtp+smNoIKFk3tcakn0y99ACX3dZM1Whh4wtwvnAy4 YaF/V4iMkKy7oIOiP8e+zHM/Wojh4aSGAZoq9H0MiT+m8UpSfwMwOHBXSyBPrekt djPOuybWbCL9abZlW5/8OLgIdYmusgAepTMUg+/1hTDUizDX8sBFGdi9a1Ubj+aq XTCf3+kBAlFxvG13dYbSzs+apMLAADu+TVhWLEQHIVZQEh7zj+/0w70OIpawWEyb SGCXlSWO1YJdqza/TJmSQDCo75xqAyPP4PStC4OmV18S+m9h+9K++HjZWDZk1Xrq mXCACPYUQFU8M0jCrtoDgMTwKfQNo7m2Cl05AC70qCS29pv65F4OamdLqzoONTqT DezePwdVnjgq/LLGsQWXzcQryh9z2nmn+T8tw7FvIWD5R+t9MfvQgBqhvIKFZPWn UO55eSvLqH5iN8Yk4rCT =brcP -----END PGP SIGNATURE----- _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
