>
> Josh> Thanks for the reminder, I always forget about this
> Josh> wrinkle. This is something that will get ironed out in the
> Josh> fulness of time, and so I think we should focus on an approach
> Josh> that reduces the risk of transition inertia.
>
>Note that for the managed RP service we're assuming we construct a PKI.
>Do we want to be looking at PSK for that?
That would be my recommendation. We will save a lot of customer support
angst.
> >> * Do we want to be able to disable the hostname check?
>
> Josh> I think that is reasonable. The cert is simply being used to
> Josh> demonstrate authorisation to act as an upstream AAA proxy in
> Josh> the context of a realm. If the acceptor wants multiple
> Josh> upstreams, use a different cert per upstream.
>
> >> * What configuration parameters do we want for cert checking?
>
> Josh> Chains back to a configured root.
>
>I'm having difficulty reconciling these answers.
>If you disable the hostname check and allow it to chain back to a
>configured root
>how do you distinguish different realms?
>
>Or do you configure the root per realm?
I was assuming a root per realm.
Josh.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|