Re: [Ace] ace-coap-est: unclear definition of /.well-known/est URI

Thu, 13 Sep 2018 00:17:00 -0700 

Hi esko,

we can add a reference to sections 3.1 and 3.2.2. of RFC7030

Peter
Panos Kampanakis (pkampana) schreef op 2018-09-12 17:31:

> Hi Esko, 
> 
> Thanks for the comment.. 
> 
> Certificate authorities use the ArbitraryLabel in order to direct the CSR 
> request and issue certificates based on a certain policy / cert profile. For 
> example, if you are ClientX you get label ClientX198282 and when you hit the 
> CA HTTP URI .well-known/est/ ClientX198282/sen the CA knows to use the policy 
> for ClientX in order to issue a certificate. Of course, someone that has 
> deployed an on-prem CA that has the same cert profile for all endpoints will 
> not need an arbitrary label and the default EST namespace is enough.   
> 
> So, even though coaps://www.example..com/.well-known/est/<short-est> would 
> work for many cases, we needed to keep the 
> coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est> as well 
> for cases where the client is getting a cert from a CA that serves more than 
> on cert profiles. We may need to specify that the labl should be as short as 
> possible, even though it is kind of self-explanatory. 
> 
> I hope it makes sense. 
> 
> Panos 
> 
> FROM: Ace [mailto:ace-boun...@ietf.org] ON BEHALF OF Esko Dijk
> SENT: Wednesday, September 12, 2018 11:10 AM
> TO: ace@ietf.org
> SUBJECT: [Ace] ace-coap-est: unclear definition of /.well-known/est URI 
> 
> Dear all/authors of ace-coap-est, 
> 
> Section 5 of ace-coap-est-05 indicates URI discovery is possible to find the 
> EST functions entry point URI.. Also a well-known URI is defined: 
> 
> coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est>. 
> 
> This URI seems more complicated than needed? What if we simply define an 
> always-available well-known URI, usable without any discovery: 
> 
> coaps://www.example..com/.well-known/est/<short-est> 
> 
> This re-uses the well-known EST namespace which is exactly defined to do EST 
> functions. So using the short-est names within this namespace should be fine. 
> 
> It is important that a well-known URI is available that is usable without 
> discovery, just like EST RFC 7030 defines it for https. 
> 
> The "ArbitraryLabel" only makes the URI longer. 
> 
> best regards 
> 
> Esko Dijk 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Reply via email to