in general we might be too strict on the presence of the key to be when building up the request messages - as they could actually just be omitted, if we would have a RA or CA supporting centralized key generation and would be able to get the private key out of the reply message.
See https://tools.ietf.org/html/rfc4210#section-4.2.1.3 “centralized generation”. For thet to work, we’d need to generate and, set the “Protocol Encryption Key” - https://tools.ietf.org/html/rfc4211#section-6.6 - and then filter out the privateKey from the CertifidKeyPair message, decrypt it and write it.
… but the whole thing cannot be implemented before we have a server supporting that.…
Log in to post a comment.
