Subsetting and better way of handling subject name.

svn path=/docs/left-right-protocol; revision=643

1 files changed, 10 insertions, 12 deletions

diff --git a/docs/left-right-protocol b/docs/left-right-protocol
index 38c436c9..65f5bb80 100644
--- a/docs/left-right-protocol
+++ b/docs/left-right-protocol
@@ -235,7 +235,6 @@
        (:ta ta)
        (:biz-signing-context biz-signing-context)
        (:child-db-id child-db-id)
-       (:subject-name "wombat"		; Consenting adults only!  Do not use!
        (:reissue))			; Reissue any certs to this child now
 => (child :child-id 3)
 
@@ -374,13 +373,6 @@
 ;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-;; The following probably needs expansion to cover issuing subsets
-;; (transfer support).
-;;
-;; This is probably also the place where we need to put the hook that
-;; lets the IRBE specify the cert subject name (when we're allowing
-;; that).
-;;
 ;; Separating this into two separate messages instead of a single
 ;; overloaded message (self vs child) might be clearer.  Work uses
 ;; cases first to determine how we really use this call?
@@ -389,10 +381,16 @@
 		&optional		; If left off, we're asking about self rather than child
 		:child id)		; subject id
 => (resources :valid-until 2008-04-01T00:00:00Z
-    (:ipv4-prefix 10.0.0.44 32)
-    (:ipv4-prefix 10.3.0.44 32)
-    (:ipv6-prefix fe80:dead:beef:: 48)
-    (:as-number 666)
+    ((:ipv4-prefix 10.0.0.44 32)
+     (:ipv4-prefix 10.3.0.44 32)
+     (:ipv6-prefix fe80:dead:beef:: 48)
+     (:as-number 666))
+    ((:subject-name "wombats are us")	; Allowed in protocol, but RE may reject with error
+     (:subset-ipv4-prefix 10.0.0.0 8)
+     (:ipv4-prefix 10.2..0.6 32)
+     (:ipv6-prefix fe80:dead:beef:: 48)
+     (:ipv6-range fe80:dead:beef:: fe80:dead:beef::49)
+     (:as-number 666))
     ...)
 
 (report-error :self-id 42