Hi esko,
we can add a reference to sections 3.1 and 3.2.2. of RFC7030
Peter
Panos Kampanakis (pkampana) schreef op 2018-09-12 17:31:
> Hi Esko,
>
> Thanks for the comment..
>
> Certificate authorities use the ArbitraryLabel in order to direct the CSR
> request and issue certificates based on a certain policy / cert profile. For
> example, if you are ClientX you get label ClientX198282 and when you hit the
> CA HTTP URI .well-known/est/ ClientX198282/sen the CA knows to use the policy
> for ClientX in order to issue a certificate. Of course, someone that has
> deployed an on-prem CA that has the same cert profile for all endpoints will
> not need an arbitrary label and the default EST namespace is enough.
>
> So, even though coaps://www.example..com/.well-known/est/<short-est> would
> work for many cases, we needed to keep the
> coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est> as well
> for cases where the client is getting a cert from a CA that serves more than
> on cert profiles. We may need to specify that the labl should be as short as
> possible, even though it is kind of self-explanatory.
>
> I hope it makes sense.
>
> Panos
>
> FROM: Ace [mailto:ace-boun...@ietf.org] ON BEHALF OF Esko Dijk
> SENT: Wednesday, September 12, 2018 11:10 AM
> TO: ace@ietf.org
> SUBJECT: [Ace] ace-coap-est: unclear definition of /.well-known/est URI
>
> Dear all/authors of ace-coap-est,
>
> Section 5 of ace-coap-est-05 indicates URI discovery is possible to find the
> EST functions entry point URI.. Also a well-known URI is defined:
>
> coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est>.
>
> This URI seems more complicated than needed? What if we simply define an
> always-available well-known URI, usable without any discovery:
>
> coaps://www.example..com/.well-known/est/<short-est>
>
> This re-uses the well-known EST namespace which is exactly defined to do EST
> functions. So using the short-est names within this namespace should be fine.
>
> It is important that a well-known URI is available that is usable without
> discovery, just like EST RFC 7030 defines it for https.
>
> The "ArbitraryLabel" only makes the URI longer.
>
> best regards
>
> Esko Dijk
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace