Maybe we are perceiving different issues.
The issue i am talking about is that Registrars (Cloud or Owner) and MASA may be
installed in cloud environment where the SNI "server_name" extension in the
ClientHello
is necessary for the Registrar/MASA to be addressed. This happens when multiple
virtual servers, with different domain names and for each domain name
potentially
a different certificate share a single IP address. The SNI is then used by the
cloud
infrastructure to demux the incoming ClientHello to the right application.
Cheers
Toerless
On Tue, Jan 30, 2024 at 11:39:30PM -0500, Michael Richardson wrote:
>
> Toerless Eckert <[email protected]> wrote:
> > I am not sure what to do about this in general, but i think the really
> > important issue is that we ask for support of SNI in BRSKI cloud to
> > support actual cloud deployment (with shared IP address) of registrars,
> > when pledges only have TLS 1.2 - because RFC8995 did not require it.
>
> > So, i did open: https://github.com/anima-wg/brski-cloud/issues/134
>
> I replied. There is no SNI issue.
> We actually thought it all through, and that errata was the result.
>
> There is a potential issue in 3.3.1 that reading the issue made me think
> about. But, it's not an SNI issue. It's a Implicit Trust Anchor or not issue.
>
> --
> Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
> Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
