Hi, Owen, Rifaat and I met this week to deal with the review comments from Russ and Mike. Again, our appologies for missing your review last fall. (I wish the reviews could go into an issue tracking system directly. It's not the first time I've missed a sector review like this)
https://github.com/anima-wg/brski-cloud/issues?q=is%3Aissue%20 gives you a list of all issues, including closed. Your issues are prefixed with "mo:" (We goofed and created two copies. Ignore Mike: ones) Older ones down to #172, are for Russ' comments. You can see the pull request that reflected the pull request afterwards. Owen is working on one more PR with nits, and then we'll post the revised I-D. A couple of points that we clarified in response to your comments about how one has to reach an EST server at some point: 1. *Cloud Registrars* do BRSKI-EST for use case two, but never offer EST (7030) operations. 2. All full BRSKI Registrars are also EST servers. You commented about section 9.2/9.3 in issue: https://github.com/anima-wg/brski-cloud/issues/202 but, we never had a section 9. We tried applying the thoughts to section 8.2/8.3 (8.2. Trust Anchors for Cloud Registrar 8.3. Considerations for HTTP Redirect) but we failed. We did make changes to those sections which you'll see in the diff. https://github.com/anima-wg/brski-cloud/issues/206 > *****Section 4.2: “The Pledge must verify that the issued certificate in > step 7 has the expected identifier obtained from the Cloud Registrar/MASA > in step 3.” I feel like this needs to describe some error handling. If it > does not contain the expected identifier, then what is the Pledge supposed > to do? Is it supposed to discard the cert and start over? Is it supposed to > trigger revocation of the mis-issued cert? If so, how? We discussed this and decided that the right answer is the remove the sentence entirely. EST servers and CAs are allowed to ignore stuff in the CSR, given that they might know better... so any check that the Pledge makes is probaby inappropriate. Does anyone check if the public key is correct? If you or the WG likes, I can reply to your original review citing specific sections/PRs for our activity. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
