Just opened an issue on github based on our discussion: Hope this makes sense.
https://github.com/anima-wg/anima-brski-prm/issues/82 >From todays BRSKI meeting discussion, i learned: registrar-agents should be supported on mobile devices such as (i guess) iOS/Android/Windows portable devices - smartphones/tablets/notebooks The TLS libraries often available on these OS's do only allow to verify certificates if these are web-certificates, e.g.: if the certificate includes some IP-address and/or DNS-name identity that can be matched, and (i am also guessing) are being signed by a WebPKI CA (for which the OS has the mechanisms in place to retrieve/update the CA). If instead the server has only a private PKI, it may be potentially necessary to include into an app a non-OS based TLS library, which is highly undesirable. PRM relies on TLS for the registrar-agent (as initiator) connect to a registrar (as TLS/HTTPs server). In BRSKI, there is no expectation for the registar to have a WebPKI certificate. Instead, the assumption was that it could/would only need to have a domain certificate, and the domain certificate in many domains, such as ACP or likely also many brski-prm use cases can only be a private certificate chain (see e.g.: explanation of requirements why this is so in RFC8994). In conclusion i suggest: I think the PRM draft should include text like this: If the domain certificate chain is not a WebPKI chain, then the registrar SHOULD have an additional WebPKI cretificate (some RFC reference here would help) easily supported by the OS supported TLS libraries in the OSs intended to be used for registrar-agents. Registrar-agents MUST support configuration or discovery of registrar(s) by DNS name and DNS to resolve to connect to the registrar. _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima