blob: 5161b376d2d68076bf5182f1b67f4e52211ea7cc (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
$Id$
testbed.py creates so freaking many BPKI certificates that even I can't
keep track of what they're all for anymore. So try starting over.
Hosted (myrpki) entity needs:
- self-signed bpki root (doesn't really need to be self-signed, nobody
else will care, but self-signed is simplest for our purposes). this
is what we've been calling the "self" cert in testbed.py.
- BSC EE issued by self-signed root.
- cross-certs of every foreign entity (parent, child, or pubd): these
are ca certs with pathLenConstraint 0. input for this cross-cert is
self-signed (or whatever) from foreign entity, output is
pathLenConstraint 0 ca cert issued by myrpki entity's own
self-signed root.
Hosting rpkid needs:
- self-signed bpki root
- bsc ees for rpkid, irdbd, irbe_cli, etc
- for each hosted entity (including self-hosting):
- cross-cert of hosted entity's root, issued by rpkid root, ca cert
perhaps with pathLenConstraint 1
In theory that's all that's required, everything else is handled
through the hosted entity's cert chain.
pubd needs:
- self signed root (might share with rpkid but let's keep it separate
conceptually)
- bsc ees for pubd and irbe_cli
- for each client entity of pubd:
- cross-cert of client entity's self cert (pathLenConstraint 0).
This should allow pubd to verify clients' bsc ee certs without
getting into transitive ca relationships.
rootd (when applicable at all) needs:
- self signed root
- bsc ee for talking up-down (server) with one and only child
- cross-cert (pathLenConstraint 0) of one and only child's self cert.
|
