diff options
| author | Rob Austein <sra@hactrn.net> | 2009-07-21 06:15:26 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2009-07-21 06:15:26 +0000 |
| commit | fd1e27797e233e7b1ab86f95213e28a11d5199e2 (patch) | |
| tree | 9beaf3d95a821dcebd819545c2c083815c94f0ee | |
| parent | 76017f62ccfc477e15093c1fa5ec68b4e517bdb7 (diff) | |
Cleanup
svn path=/myrpki/README; revision=2656
| -rw-r--r-- | myrpki/README | 45 |
1 files changed, 24 insertions, 21 deletions
diff --git a/myrpki/README b/myrpki/README index 5161b376..d27bd1e3 100644 --- a/myrpki/README +++ b/myrpki/README @@ -1,54 +1,57 @@ $Id$ -testbed.py creates so freaking many BPKI certificates that even I can't -keep track of what they're all for anymore. So try starting over. +Sketch towards a simple description of the BPKI. + +This started out as notes to myself during a redesign, and needs +rewriting. + Hosted (myrpki) entity needs: -- self-signed bpki root (doesn't really need to be self-signed, nobody - else will care, but self-signed is simplest for our purposes). this +- Self-signed BPKI root (doesn't really need to be self-signed, nobody + else will care, but self-signed is simplest for our purposes). This is what we've been calling the "self" cert in testbed.py. - BSC EE issued by self-signed root. -- cross-certs of every foreign entity (parent, child, or pubd): these - are ca certs with pathLenConstraint 0. input for this cross-cert is +- Cross-certs of every foreign entity (parent, child, or pubd): these + are CA certs with pathLenConstraint 0. Input for this cross-cert is self-signed (or whatever) from foreign entity, output is - pathLenConstraint 0 ca cert issued by myrpki entity's own + pathLenConstraint 0 CA cert issued by myrpki entity's own self-signed root. Hosting rpkid needs: -- self-signed bpki root +- Self-signed BPKI root -- bsc ees for rpkid, irdbd, irbe_cli, etc +- BSC EE certs for rpkid, irdbd, irbe_cli, etc -- for each hosted entity (including self-hosting): +- For each hosted entity (including self-hosting): - - cross-cert of hosted entity's root, issued by rpkid root, ca cert - perhaps with pathLenConstraint 1 + Cross-cert of hosted entity's root, issued by rpkid root: CA cert + with pathLenConstraint 1 In theory that's all that's required, everything else is handled through the hosted entity's cert chain. pubd needs: -- self signed root (might share with rpkid but let's keep it separate +- Self signed root (might share with rpkid but let's keep it separate conceptually) -- bsc ees for pubd and irbe_cli +- BSC EE certs for pubd and irbe_cli -- for each client entity of pubd: +- For each client entity of pubd: - - cross-cert of client entity's self cert (pathLenConstraint 0). + Cross-cert of client entity's self cert (pathLenConstraint 0). - This should allow pubd to verify clients' bsc ee certs without - getting into transitive ca relationships. + This should allow pubd to verify clients' BSC EE certs without + getting into transitive CA relationships. rootd (when applicable at all) needs: -- self signed root +- Self-signed root -- bsc ee for talking up-down (server) with one and only child +- BSC EE cert for talking up-down (server) with one and only child -- cross-cert (pathLenConstraint 0) of one and only child's self cert. +- Cross-cert (pathLenConstraint 0) of one and only child's self cert. |