"6.3.3. Pledge: Wrapped-CA-Certificate(s) Processing" - rewrite

[siethower]

Comment from Toerless to section 6.3

6.3.3.  Pledge: Wrapped-CA-Certificate(s) Processing   2088       The registrar-agent SHALL provide the set of CA certificates 2089       requested from the registrar to the pledge by HTTP POST to the 2090       endpoint: "/.well-known/brski/cc".   2092       As the CA certificate provisioning is crucial from a security 2093       perspective, this provisioning SHALL only be done, if the voucher- 2094       response has been successfully processed by pledge.   Well.... i don't think this is good text. The registrar-agent can always try to provide CA certificates if it wants to enroll the pledge. Its the pledge that would reject this if the voucher was not previously successfully accepted by the pledge. Aka: there is no harm in the registrar-agent trying, but if you accept the consideration from my major after line 2084, then one could write that the registrar-agent SHOULD only send  the CA-certificates (like the following pledge certificate) after having received a successful voucher telemetry from the pledge.

[stfries]

okay, true, the error handling should be on the pledge side. Proposal to replace "As the CA certificate provisioning is crucial from a security perspective, this provisioning SHALL only be done, if the voucher-response has been successfully processed by pledge." with "As the CA certificate provisioning is crucial from a security perspective, this provisioning SHOULD only be done, if the voucher-response has been successfully processed by pledge as reflected in the voucher status telemetry."

Can be closed

[stfries]

Included as proposed