Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NOC root certificate transactions design doc #529

Merged
merged 6 commits into from
Dec 29, 2023
Merged

Add NOC root certificate transactions design doc #529

merged 6 commits into from
Dec 29, 2023

Conversation

akarabashov
Copy link
Collaborator

No description provided.

ashcherbakov
ashcherbakov reviewed Dec 26, 2023
View reviewed changes
docs/design/noc-root-cert-design.md
- CLI Command:
- `dcld tx pki revoke-noc-x509-root-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>`

## Query
Copy link
Contributor

@ashcherbakov ashcherbakov Dec 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Please also mention a possibility to query a NOC Root Cert by Subject+SubjectKeyID (as any other certificate), see https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_x509_cert
  2. Need to decide if the following queries (common for other certificates) should return NOC root certificates:

docs/design/noc-root-cert-design.md
- cert: `string` - The NOC Root Certificate, encoded in X.509v3 PEM format. Can be a PEM string or a file path.
- State Changes:
- `pki/ApprovedCertificates/value/<Subject>/<SubjectKeyID>`
- `pki/NOCRootCertificates/value/<VID>`
Copy link
Contributor

@ashcherbakov ashcherbakov Dec 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to decide, if we want to distinguish NOC certificates from common PAAs/PAIs (for example when querying it by Subject+SubjectKeyId).
Open Questions; for now assume YES (needed).
For example, we can introduce a new field to the Certificate data model (https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/proto/pki/certificate.proto): bool NOC

docs/design/noc-root-cert-design.md
- CLI Command:
- `dcld tx pki add-noc-x509-root-cert --certificate=<string-or-path> --from=<account>`

### 2. REVOKE_NOC_X509_ROOT_CERTIFICATE
Copy link
Contributor

@ashcherbakov ashcherbakov Dec 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's an open question how Revocation should work here.

  • Should it be Remove rather than Revoke
  • Should we keep a track of Removed/Revoked certificates (soft-delete VS hard-delete)

Open Questions; for now assume Soft-delete (revoked certificates are moved to something like ...noc/revoked/... path (similar to common Root certs, but specific collection for NOC Roots).
Also, need to have a query GET_REVOKED_NOC_ROOT...

Do we need to put revoked NOC Root into a collection with other revoked Root certs?
Open Question. For now assume NO (not needed).

ashcherbakov
ashcherbakov reviewed Dec 29, 2023
View reviewed changes
docs/design/noc-root-cert-design.md Outdated
- Should the following queries return NOC Certificate?
- [GET_ALL_SUBJECT_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_subject_x509_certs)
- [GET_ALL_X509_ROOT_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs)
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs)
- [GET_X509_CERT](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_x509_cert)

docs/design/noc-root-cert-design.md Outdated
- [GET_ALL_X509_ROOT_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs)
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs)
- Should an additional field be added to the certificate schema to distinguish NOC certificates from common PAAs/PAIs?
- Should a revoked NOC certificate be stored in the revoked list, or should it be completely removed? Additionally, if a NOC root certificate is revoked, should it be saved in the existing revocation list or in a separate list?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add clarification here: should revoked Root NOC certificates be returned in the existing https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_revoked_x509_root_certs and https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_revoked_cert?

@akarabashov akarabashov merged commit c88d217 into master Dec 29, 2023
8 checks passed
@ashcherbakov ashcherbakov mentioned this pull request Jan 4, 2024
Closed
@akarabashov akarabashov deleted the feature/noc_cert_design branch April 11, 2024 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashcherbakov ashcherbakov ashcherbakov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akarabashov @ashcherbakov