On 11 Feb 2014, at 3:23 am, Roque Gagliano (rogaglia) <[email protected]>
wrote:
>
> I believe you should use Section 3.2 of
> draft-ietf-sidr-multiple-publication-points as a starting point. As you can
> see the recommended behaviour is to select a rule to fetch the TA certificate
> and stop when you fetch one that matches the TAL public key.
> 3.2. Rules for Relying Parties (RP)
>
>
>
> A RP can use different rules to select the URI from where fetch the
> Trust Anchor certificate. Some examples are:
>
> o Using the order provided in the TAL file
>
> o Selecting the URI randomly from the available list
>
> o Creating a prioritized list of URIs based on RP specific
> parameters such as connection establishment delay
>
> If the connection to the preferred URI fails or the fetched
> certificate public key does not match the TAL public key, the RP
> SHOULD fetch the TA certificate from the next URI of preference.
I'll add the following to the text in section 3, and re-submit this as a -01
draft. (I hope that the wg adoption
process does not get confused by this change - is this ok WG chairs?)
In the case where a TAL contains multiple URIs, RP may use a locally
defined preference rule to select the URI from where fetch the Trust
Anchor certificate. Some examples are:
o Using the order provided in the TAL
o Selecting the URI randomly from the available list
o Creating a prioritized list of URIs based on RP specific
parameters, such as connection establishment delay
If the connection to the preferred URI fails, or the fetched CA
certificate public key does not match the TAL public key, the RP
SHOULD fetch the CA certificate from the next URI, according to the
local preference ranking.
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
