Jim Schaad <i...@augustcellars.com> wrote:
> Section 11.1 - When changing from the implicit trust anchor to explicit
> trust anchors, do you expect that the est server that you are going to
> be talking to is generally going to change? I think that it should
> probably be recommended that the DTLS connection NOT be persistent
> across a change in the trust anchors if they are different.I'm trying to understand the question better. To be clear: - implicit trust anchors -- what the device was built with. - explicit trust anchors -- what is returned from /cacerts|/crts So after calling /cacerts, the client now can authenticate an EST server with the domain registrar. Beforehand, it has to use something built-in. I think you are asking about whether or not the server identification (certificate) is different in the two cases? If we could be sure that a different EST server would be used for renewals of the certificate (LDevID), then that EST server could have a locally anchored certificate. I don't think we want to force this change of servers so the we must be prepared for a single EST server to do both initial enrollment and also renewal. @Hannes, it would be good to have your opinion here. This problem can be solved with correct use of SNI extension in DTLS, but it is unclear how much detail we need to be explicit about. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
