Fries, Steffen <[email protected]> wrote: > Sorry for the late replay on this. There is probably one fits all > answer for this. The reason is that the enrollment protocols are > defined different in that respect. > - EST does not provide it out of the box, this was the reason to have it in BRSKI > - CMP provides a certificate confirmation message (certConf). > - CMC provides a confirmation message with the Confirm Certificate Acceptance Control > - SCEP explicitly mentions the lack of the certificate confirmation > message in the security consideration section > - ACME seems to not provide it either.
> Given that it would make sense to move it to /brski to make it
> independent from EST.
Interesting.
So when doing CMP or CMC, would there be two confirmations?
> Based on the assumption that CMP and CMC provide the signature wrapping
> without limitations and also support certificate confirmation messages,
> it seems to be only applicable to EST (simpleenroll or fullcmc). That
> would rather indicate to keep "/.well-known/est/enrollstatus" as is.
okay.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
