[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Publication protocol
[Old mail that I lost in a flurry of other messages]
At Wed, 04 Apr 2007 13:42:25 +0200, Róbert Kisteleki wrote:
>
> Let's look at a RIR->LIR->ISP chain. I am ISP, trying to use the same
> repository as LIR, whereas RIR uses its own/separate one.
> In this case the certificate issued to me by LIR is already in the
> repository, as LIR asked for it to be there upon issuing me. But this
> repository does not have the LIR's CA certificate, as it can be found in
> the RIR's (independent) repository.
>
> This all means that "For purposes of this check, the parent's issuing
> cert (which the repository has, by definition, since this is the nested
> hosting case) can serve as a trust anchor for checking the child's SIA."
> is false, this repository does not have it, but has to go and fetch it
> instead - if it's not supplied in the protocol.
>
> Maybe you wanted to write "child's CA cert" instead (in this case,
> ISP's)? That one _is_ lodged into this repository, and can be used for
> the check.
I think you misunderstood what I was trying to say. Is this clearer?
Index: publication-protocol
===================================================================
--- publication-protocol (revision 589)
+++ publication-protocol (revision 590)
@@ -49,9 +49,9 @@
;;; issue a cert to the child anyway, and that cert will contain a
;;; signature by the parent over the child's SIA URI, so the
;;; repository just has to check that. For purposes of this check,
-;;; the parent's issuing cert (which the repository has, by
-;;; definition, since this is the nested hosting case) can serve as
-;;; a trust anchor for checking the child's SIA.
+;;; the parent's cert (which the repository has, by definition,
+;;; since this is the nested hosting case) can serve as a trust
+;;; anchor for checking the child's SIA.
;;;
;;; 3) To the extent that the repository operator wants to guard
;;; against toxic waste, it might want to check further up the
