aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--myrpki/README45
1 files changed, 24 insertions, 21 deletions
diff --git a/myrpki/README b/myrpki/README
index 5161b376..d27bd1e3 100644
--- a/myrpki/README
+++ b/myrpki/README
@@ -1,54 +1,57 @@
$Id$
-testbed.py creates so freaking many BPKI certificates that even I can't
-keep track of what they're all for anymore. So try starting over.
+Sketch towards a simple description of the BPKI.
+
+This started out as notes to myself during a redesign, and needs
+rewriting.
+
Hosted (myrpki) entity needs:
-- self-signed bpki root (doesn't really need to be self-signed, nobody
- else will care, but self-signed is simplest for our purposes). this
+- Self-signed BPKI root (doesn't really need to be self-signed, nobody
+ else will care, but self-signed is simplest for our purposes). This
is what we've been calling the "self" cert in testbed.py.
- BSC EE issued by self-signed root.
-- cross-certs of every foreign entity (parent, child, or pubd): these
- are ca certs with pathLenConstraint 0. input for this cross-cert is
+- Cross-certs of every foreign entity (parent, child, or pubd): these
+ are CA certs with pathLenConstraint 0. Input for this cross-cert is
self-signed (or whatever) from foreign entity, output is
- pathLenConstraint 0 ca cert issued by myrpki entity's own
+ pathLenConstraint 0 CA cert issued by myrpki entity's own
self-signed root.
Hosting rpkid needs:
-- self-signed bpki root
+- Self-signed BPKI root
-- bsc ees for rpkid, irdbd, irbe_cli, etc
+- BSC EE certs for rpkid, irdbd, irbe_cli, etc
-- for each hosted entity (including self-hosting):
+- For each hosted entity (including self-hosting):
- - cross-cert of hosted entity's root, issued by rpkid root, ca cert
- perhaps with pathLenConstraint 1
+ Cross-cert of hosted entity's root, issued by rpkid root: CA cert
+ with pathLenConstraint 1
In theory that's all that's required, everything else is handled
through the hosted entity's cert chain.
pubd needs:
-- self signed root (might share with rpkid but let's keep it separate
+- Self signed root (might share with rpkid but let's keep it separate
conceptually)
-- bsc ees for pubd and irbe_cli
+- BSC EE certs for pubd and irbe_cli
-- for each client entity of pubd:
+- For each client entity of pubd:
- - cross-cert of client entity's self cert (pathLenConstraint 0).
+ Cross-cert of client entity's self cert (pathLenConstraint 0).
- This should allow pubd to verify clients' bsc ee certs without
- getting into transitive ca relationships.
+ This should allow pubd to verify clients' BSC EE certs without
+ getting into transitive CA relationships.
rootd (when applicable at all) needs:
-- self signed root
+- Self-signed root
-- bsc ee for talking up-down (server) with one and only child
+- BSC EE cert for talking up-down (server) with one and only child
-- cross-cert (pathLenConstraint 0) of one and only child's self cert.
+- Cross-cert (pathLenConstraint 0) of one and only child's self cert.
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-22 18:17:15 +0000