Deb Cooley <[email protected]> wrote: > In my world (government PKI systems), the RA doesn't get to do that. > Either the CSR is accepted or it is rejected. The CA has a profile it > follows, if the CSR is missing things, the CA adds them before the > certificate is signed. The RA can do none of that. I suspected this was the case: that the override by RA was all theoretical. However, in another thread, I was pointed to:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm-pca.html#ACMPCA.Client.issue_certificate as an example of an RA->CA API. But, upon reading it, it seems to really just be a way to invoke the CA signing action via RPC. Maybe that's a quibble RPC vs protocol-level API. > In our case, most RAs > are actually people, so there can be a back channel to the requestor which > can be used to sort it all out. hah. "civil serpents" ... which slither through the back channels of government. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
