search

anima-wg / anima-brski-prm

ANIMA BRSKI Pledge in Responder Mode
Other
0 stars 6 forks source link

"pledge-status response" - handling #111

Closed siethower closed 1 year ago

siethower commented 1 year ago

Comment from Toerless to section 6.4

2420       The pledge-status response message is signed with IDevID or LDevID, 2421       depending on bootstrapping state of the pledge.   I think earlier in the text in this section you said only LDevID.   There is also the question as to whether or not th pledge wants to divulge the status to anybody. I remember that even as much as 5 years ago we had to limit LLDP information from network devices to prohibit unauthenticated status visibility. So it might make sense to say that pledge SHOULD by default only answer to nodes that they can authenticate (such as registrar agents), once the pledge is enrolled with CA certificates and matching domain certificate.

stfries commented 1 year ago

Issue 1: "I think earlier in the text in this section you said only LDevID.": No, that related to the Request, which is signed by LDevID(RegAgt)

Issue 2: "There is also the question as to whether or not th pledge wants to divulge the status to anybody. ..." Proposal to add to the end of section 6.4.1: "The pledge SHOULD by default only respond to nodes that they can authenticate (such as registrar agent), once the pledge is enrolled with CA certificates and matching domain certificate as outlined in section 6.4.2."

stfries commented 1 year ago

Included slightly adapted text: The pledge SHOULD by default only respond to requests from nodes it can authenticate (such as registrar agent), once the pledge is enrolled with CA certificates and a matching domain certificate.