Publish PAI certificates for CRLSignerCertificate verification about distributed-compliance-ledger HOT 5 CLOSED

Hi @ashcherbakov , with https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 the spec was updated to clarify that if the CRLSignerCertificate is a delegate of a PAI, then the PAI certificate must be present in the DCL. But the text does not specify where this certificate is located in the DCL. Following a call in the DCL TT, the expectation is to have option 2 implemented with a new field to contain the PAI certificate. We can then refine the text of the spec when this new field is defined.

from distributed-compliance-ledger.

100% recommend using the CRLSignerCertificate schema and adding a field there, as it's the only feature that cares about those certificates and would make use of it. Would also avoid needing to do joins across schemas where not needed.

from distributed-compliance-ledger.

DCL-TT: Team decided to implement it on 1.3. Preliminary decision is to go with Option 2: add a new field for PAI-1 (no additional nesting).

from distributed-compliance-ledger.

1. Option to implement

It seems the updates made in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 differ from what has been previously discussed and approved on the DCL TT calls.

There are two options how to solve the issue:

• Option 1: Require publishing PAI to DCL (in case of delegation)
• Option 2: Extend revocation schema to add new field for the delegated PAI. The new field will have the whole pem.

DCL TT decided to go with Option 2, but https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 assumes Option 1.

2. Additional Changes

Regardless of the selected Option above, https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 requires additional changes to be implemented on DCL.

1. Changes in static validation (https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/types/message_add_pki_revocation_distribution_point.go):
   • Consider a new case: isPAA is true, but CRLSignerCertificate is not self-signed
2. Changes in https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go
   If CRLSignerCertificate is not self-signed, then instead of assuming that it's signed by a PAA on the ledger, more cases must be considered:
   • If isPAA is true, then
     • CRLSignerCertificate must be chained back to a PAA on the ledger
     • additional validation of the CRLSignerCertificate format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512
   • If isPAA is false, then
     • If CRLSignerCertificate is chained back to a PAA on the ledger - current logic
     • If CRLSignerCertificate is not chained back to a PAA on the ledger
       • additional validation of the CRLSignerCertificate format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512
       • CRLSignerCertificate is chained back to a PAI on the ledger (or to a PAI present in a new field, depending on the option from Section 1).

from distributed-compliance-ledger.

PR: #557

• Functionality implemented as described in the specification
• Unit and integration tests are added
• Docs are updated.

from distributed-compliance-ledger.