Currently, the scion-pki tool uses only the TRC(s) indicated after the --trc flag. If when requesting a certificate renewal the remote AS signs the new certificate based on a new version of the TRC, we get an error, e.g.:
Error: verification of transport cert failed with provided TRC: chain did not verify against any selected TRC {errors=[verifying chain {trc_base=1; trc_serial=9}: x509: certificate signed by unknown authority]}
The CS already uses the logic from the fetching_provider and its implementation to fill those gaps. We can add a similar functionality into the scion-pki tool for doing so.
On top of that, we could also modify the certificate renewal response and add the TRC which what the certificate was signed with.
Currently, the
scion-pkitool uses only the TRC(s) indicated after the--trcflag. If when requesting a certificate renewal the remote AS signs the new certificate based on a new version of the TRC, we get an error, e.g.:The CS already uses the logic from the fetching_provider and its implementation to fill those gaps. We can add a similar functionality into the
scion-pkitool for doing so.On top of that, we could also modify the certificate renewal response and add the TRC which what the certificate was signed with.