Open Devendra-Vamsi opened 2 years ago
1) yes, either via a previous gNOI install using the ca_certificates
field (https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L303)
or during the same install using the same field, or via another mechanism that is not gNOI;
2) yes;
3) yes;
Section "Validate installed certificate" from page https://github.com/openconfig/gnoi/blob/master/docs/simplified_security_model.md#validate-installed-certificate insists that the target device needs to verify the new certificate(let's say ee-cert1) being installed with a CA cert(let's say ca-cert1) in the CA pool.