-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NOC root certificate transactions design doc #529
Conversation
- CLI Command: | ||
- `dcld tx pki revoke-noc-x509-root-cert --subject=<base64 string> --subject-key-id=<hex string> --from=<account>` | ||
|
||
## Query |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Please also mention a possibility to query a NOC Root Cert by Subject+SubjectKeyID (as any other certificate), see https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_x509_cert
- Need to decide if the following queries (common for other certificates) should return NOC root certificates:
- https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_subject_x509_certs: Open Questions; for now assume YES (needed)
- https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs: Open Questions; for now assume NO (not needed)
- cert: `string` - The NOC Root Certificate, encoded in X.509v3 PEM format. Can be a PEM string or a file path. | ||
- State Changes: | ||
- `pki/ApprovedCertificates/value/<Subject>/<SubjectKeyID>` | ||
- `pki/NOCRootCertificates/value/<VID>` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to decide, if we want to distinguish NOC certificates from common PAAs/PAIs (for example when querying it by Subject+SubjectKeyId).
Open Questions; for now assume YES (needed).
For example, we can introduce a new field to the Certificate data model (https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/proto/pki/certificate.proto): bool NOC
- CLI Command: | ||
- `dcld tx pki add-noc-x509-root-cert --certificate=<string-or-path> --from=<account>` | ||
|
||
### 2. REVOKE_NOC_X509_ROOT_CERTIFICATE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's an open question how Revocation should work here.
- Should it be Remove rather than Revoke
- Should we keep a track of Removed/Revoked certificates (soft-delete VS hard-delete)
Open Questions; for now assume Soft-delete (revoked certificates are moved to something like ...noc/revoked/... path (similar to common Root certs, but specific collection for NOC Roots).
Also, need to have a query GET_REVOKED_NOC_ROOT...
Do we need to put revoked NOC Root into a collection with other revoked Root certs?
Open Question. For now assume NO (not needed).
docs/design/noc-root-cert-design.md
Outdated
- Should the following queries return NOC Certificate? | ||
- [GET_ALL_SUBJECT_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_subject_x509_certs) | ||
- [GET_ALL_X509_ROOT_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs) | ||
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs) | |
- [GET_X509_CERT](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_x509_cert) |
docs/design/noc-root-cert-design.md
Outdated
- [GET_ALL_X509_ROOT_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs) | ||
- [GET_ALL_X509_CERTS](https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_x509_root_certs) | ||
- Should an additional field be added to the certificate schema to distinguish NOC certificates from common PAAs/PAIs? | ||
- Should a revoked NOC certificate be stored in the revoked list, or should it be completely removed? Additionally, if a NOC root certificate is revoked, should it be saved in the existing revocation list or in a separate list? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add clarification here: should revoked Root NOC certificates be returned in the existing https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_all_revoked_x509_root_certs and https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#get_revoked_cert?
No description provided.