From 3d0196970e3ec229d294a9ca7d71dc7085a47374 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 16 Apr 2007 21:00:42 +0000 Subject: Clarify note on revoke and rekey of biz keys. svn path=/docs/left-right-protocol; revision=571 --- docs/left-right-protocol | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'docs/left-right-protocol') diff --git a/docs/left-right-protocol b/docs/left-right-protocol index 8dd0b4d2..da4c4975 100644 --- a/docs/left-right-protocol +++ b/docs/left-right-protocol @@ -15,16 +15,19 @@ ;;; Current problems: -;;; Need revoke and rekey operations. - -;;; And, er, how do things like publication URIs (which also go into -;;; some of the X.509 extensions in the resource certs) get into the -;;; RE anyway? This is close to being the same question as how do we -;;; configure the publication point, as the data are largely the same. -;;; Part of the problem is that, if we create CAs on the fly in -;;; response to what we learn from our parent, how do we map that to -;;; any kind of preconfigured data on where we should publish? This -;;; is a mess. +;;; Need revoke and rekey operations. The IRBE tells the RE to delete +;;; and likely replace a biz key (so this acts on business signing +;;; context objects); it doesn't revoke in the CRL sense. The RE may +;;; learn from the IRBE that the key of a parent or child has changed; +;;; these are set operations on the TA field of a parent, child, or +;;; repository object. So this is almost covered, except that we +;;; bundled keypair creation into business signing context creation +;;; (knew that was a mistake...). + +;;; How do we construct publication URIs (which also go into some of +;;; the X.509 extensions in the resource certs)? We create CAs on the +;;; fly in response to what we learn from our parent, so it's hard to +;;; preconfigure this. ;;; ;;; Might it help to have per-parent config for this, since we have to ;;; config parents anyway? That'd give us the head of the publication -- cgit v1.2.3