Repository publication protocol, all one operation of it.

svn path=/scripts/regeng-api; revision=491
author: Rob Austein <sra@hactrn.net> 2007-03-18 15:53:21 +0000
committer: Rob Austein <sra@hactrn.net> 2007-03-18 15:53:21 +0000
commit: 8315d6ec7c02ee0f60dd395e5e686cf32ef3c273 (patch)
tree: 84c338d15e52ea47dc61aecb1212ed2fe6c12016 /scripts/regeng-api
parent: 95c8d6f4485374cd4c7facd75092b480bba7ebc8 (diff)
1 files changed, 23 insertions, 1 deletions
diff --git a/scripts/regeng-api b/scripts/regeng-api
index 63b7a580..2f204d3e 100644
--- a/scripts/regeng-api
+++ b/scripts/regeng-api
@@ -184,4 +184,26 @@
 ;;; key.
 ;;;
 ;;; Um, collection creation may need us to demonstrate that we own the
-;;; issuer cert, so we may need to sign something with it.
+;;; issuer cert, so we may need to sign something with it, and we
+;;; don't really need to do explicit collection creation, we can
+;;; automatically create collections as a side effect of attempting to
+;;; store something in them.
+
+(publish-thing :thing-type :crl
+	       :signed-thing signed-thing)
+=> ()
+
+;;; Where signed-thing looks like:
+;;;
+;;;      (repo-biz-key-signature
+;;;        ca-cert
+;;;	   (ca-key-signature
+;;;	     object-to-publish))
+;;;
+;;; NB: the ca-key-signature is a simple signature with no
+;;; certificates embedded, as we can't assume that the repository
+;;; knows the trust anchor.  More precisely, if the crypto guys tell
+;;; us that we must do cert chain verification here, the business
+;;; setup for all this has to make sure that the repository operator
+;;; -does- know the RPKI trust anchor and we'd kind of rather not go
+;;; there.
author	Rob Austein <sra@hactrn.net>	2007-03-18 15:53:21 +0000
committer	Rob Austein <sra@hactrn.net>	2007-03-18 15:53:21 +0000
commit	8315d6ec7c02ee0f60dd395e5e686cf32ef3c273 (patch)
tree	84c338d15e52ea47dc61aecb1212ed2fe6c12016 /scripts/regeng-api
parent	95c8d6f4485374cd4c7facd75092b480bba7ebc8 (diff)