Closed cristian-recoseanu closed 4 years ago
andrewbonney
commented
4 years ago Initially this sounds like a role for Node 'services' or 'tags', but of course Registries, Authorization Servers or System APIs may also support BCP-003-03. Authorization Servers in particular are challenging as the API structure is externally defined.
One option would be to solve the problem purely for Nodes as these are most prevalent and would be more likely to be 'missed'.
JamesGibo
commented
4 years ago It sounds sensible to cover Nodes, I will look at creating a PR for Nodes to advertise that they support Automated Certificate Provisioning.
This however would not replace the need for a monitoring system to check for certificates close to expiry on Nodes/Registries/Authorization Servers/System APIs whether they support Automated Certificate Provisioning or not.
peterbrightwell
commented
4 years ago Examined on call. Further work planned.
The question is more to do with visibility of which nodes implement BCP-003-03 in an NMOS system. If you assume your entire system is BCP-003-03 but in fact you still have manually configured nodes which required certificates to be manually provisioned then you might end up in a situation where some endpoints fail because of expired certificates. Having some means of identifying which nodes implement BCP-003-03 seems beneficial as you would immediately also know which ones don't and require manual intervention.