On Mon, May 02, 2022 at 01:22:33PM -0400, Michael Richardson wrote: > > How about cert renewal, did you folks discuss if this would ever be > something > > pledges would want to do through the proxy ? In the case of ACP we did > > Nope, never. Just like in BRSKI.
Just for the fun of it i just registered service-name est-coaps against RFC9148 with IANA yesterday, like Jack registered "est" against RFC7030 a decade afterwards. That should/could then be used for constrained networks to use any working (*grin*) discovery for automatic cert renewal, which to me is equally important to bootstrap. See for example RFC8994 for SRV.est for how ACP defines to do this with EST/RFC7030 (via GRASP). A lot more disappointed that RFC9148 didn't care about DNS-SD discovery than back when RFC7030 was written, but i guess they probably think their CoAP group communications discovery is better. Except that neither one works for L3 networks multicast IMHO (i am getting no response to that request i sent meaning at least nobody knows or cares), and COAP does not provide unicast discovery like DNS-SD from all i know. I really wonder how networks using RFC9148 intend to automate renewal, even absent automated secure bootstrap. I bet there is not going to be any interop requirements anyhow, and vendors are just hacking in some well-known DNS name for EST servers (est-server.<domain>) and ultimately do rely on unicast DNS. Oh well... Toerless _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
