Comments (5)
Hi @ashcherbakov , with https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 the spec was updated to clarify that if the CRLSignerCertificate is a delegate of a PAI, then the PAI certificate must be present in the DCL. But the text does not specify where this certificate is located in the DCL. Following a call in the DCL TT, the expectation is to have option 2 implemented with a new field to contain the PAI certificate. We can then refine the text of the spec when this new field is defined.
from distributed-compliance-ledger.
100% recommend using the CRLSignerCertificate schema and adding a field there, as it's the only feature that cares about those certificates and would make use of it. Would also avoid needing to do joins across schemas where not needed.
from distributed-compliance-ledger.
DCL-TT: Team decided to implement it on 1.3. Preliminary decision is to go with Option 2: add a new field for PAI-1 (no additional nesting).
from distributed-compliance-ledger.
1. Option to implement
It seems the updates made in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 differ from what has been previously discussed and approved on the DCL TT calls.
There are two options how to solve the issue:
- Option 1: Require publishing PAI to DCL (in case of delegation)
- Option 2: Extend revocation schema to add new field for the delegated PAI. The new field will have the whole pem.
DCL TT decided to go with Option 2, but https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 assumes Option 1.
2. Additional Changes
Regardless of the selected Option above, https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 requires additional changes to be implemented on DCL.
- Changes in static validation (https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/types/message_add_pki_revocation_distribution_point.go):
- Consider a new case:
isPAA
is true, butCRLSignerCertificate
is not self-signed
- Consider a new case:
- Changes in https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/keeper/msg_server_add_pki_revocation_distribution_point.go
IfCRLSignerCertificate
is not self-signed, then instead of assuming that it's signed by a PAA on the ledger, more cases must be considered:- If
isPAA
is true, thenCRLSignerCertificate
must be chained back to a PAA on the ledger- additional validation of the
CRLSignerCertificate
format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512
- If
isPAA
is false, then- If
CRLSignerCertificate
is chained back to a PAA on the ledger - current logic - If
CRLSignerCertificate
is not chained back to a PAA on the ledger- additional validation of the
CRLSignerCertificate
format must be done as described in https://github.com/CHIP-Specifications/connectedhomeip-spec/pull/7512 CRLSignerCertificate
is chained back to a PAI on the ledger (or to a PAI present in a new field, depending on the option from Section 1).
- additional validation of the
- If
- If
from distributed-compliance-ledger.
PR: #557
- Functionality implemented as described in the specification
- Unit and integration tests are added
- Docs are updated.
from distributed-compliance-ledger.
Related Issues (20)
- How to complete the step Attest Device Compliance if I'm a vendor HOT 1
- Single key in the DCL can't share multiple roles. HOT 1
- The CommissioningModeInitialStepsHint is set to 0 by default HOT 3
- PID scoped Accounts HOT 2
- Root certificates for Network Operational Credential (NOC) HOT 3
- Instruction to use HSM with DCL UI and Keppler HOT 1
- ICA Certificates HOT 1
- Querying NOC/ICA certificates HOT 1
- Getting error on replay: wrong Block.Header.AppHash. while trying to run the full node HOT 2
- X509 certificates edge cases: fixes and improvements HOT 1
- Avoid using the reserved characters from RFC3986 in fields that are intended to form part of a URL (e.g. 'next_key'), or provide them already escaped.
- Add custom flow capability for commissioners without local UI HOT 4
- New fields for Enhanced Setup Flow HOT 1
- Improvements and Fixes for Edge Cases in X.509 Certificates (Continuation)
- Augment DCL auxiliary schemas with SchemaVersion field HOT 1
- Implement removal of NOC (Root and Intermediate) Certificates HOT 1
- SchemaVersion of DAC PKI Revocation Distribution Point schema did not get bumped after #557 HOT 1
- Validate "OtaChecksum" is base64 encoded when adding a Model-Version entry HOT 1
- Rename CommissionerRemoteUiFlowUrl to ManagedAclExtensionRequestFlowUrl and update description HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from distributed-compliance-ledger.