Add requirement for EST-client (6.6.2 step 1) to verify that EST server is an "RA"

anima-wg / constrained-voucher

This is a repo for the IETF Internet Draft about constrained vouchers in CBOR

2 stars 4 forks source link

Add requirement for EST-client (6.6.2 step 1) to verify that EST server is an "RA" #234

Closed EskoDijk closed 1 year ago

EskoDijk commented 2 years ago

In 6.6.2, particularly step 1, a requirement could be added. Currently Pledge only checks that the EST server is part of the same Domain that it trusts. It should/must also verify that the EST server is an "RA" for that domain, i.e. a Registrar.

Based on email discussion: https://mailarchive.ietf.org/arch/msg/anima/VN8D3T_LBMz6LDCLo7T2mv5NNNc/

mcr commented 2 years ago

maybe already said in RFC9148? RFC7030?

3.6.1. Client Use of Explicit TA Database

EskoDijk commented 1 year ago

Yes, we can just refer to RFC 7030 3.6.1 for details; sentence can be added in step 1.