Update transactions.md document #553
Conversation
docs/transactions.md
Outdated
| - time: `optional(int64)` - proposal time (number of nanoseconds elapsed since January 1, 1970 UTC). CLI uses the current time for that field. | ||
| - vid: `uint16` - Vendor ID (positive non-zero). Must be the same as Vendor account's VID. The value must be within the range of 1 to 65535. |
There was a problem hiding this comment.
Please mention that it must be equal to the Certificate's VID for VID scope certificates.
docs/transactions.md
Outdated
| @@ -903,8 +906,6 @@ The certificate is not reject until sufficient number of Trustees reject it. | |||
| Adds an intermediate or leaf X509 certificate signed by a chain of certificates which must be | |||
| already present on the ledger. | |||
|
|
|||
| The certificate is immutable. It can only be revoked by either the owner or a quorum of Trustees. | |||
|
|
|||
| - Who can send: Vendor account | |||
| - PAA (Root certificates) are VID-scoped: | |||
There was a problem hiding this comment.
Maybe move this paragraph to Validation?
Also I think it needs to be clarified.
For example, it's not clear what does "PAA (Root certificates) are VID-scoped" mean.
I would writ something like
- If parent root certificate is VID scoped:
certmust be VID scopedvidin the subject of the root certificate must be equal to the thevidin the subject of thecertvidin the certificate subjects must be equal to the sender Vendor account's VID
- If parent root certificate is not VID scoped, but has an associated VID
certcan be either VID scoped or non-VID scoped- if
certis VID scoped,vidin the subject of thecertmust be equal to the VID associated with the root certificate, as well as to the sender Vendor account's VID
- If parent root certificate is non VID scoped and doesn't have an associated VID - error
docs/transactions.md
Outdated
| @@ -925,9 +926,10 @@ The certificate is immutable. It can only be revoked by either the owner or a qu | |||
| - no existing certificate with the same `<Certificate's Issuer>:<Certificate's Serial Number>` combination. | |||
| - if certificates with the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination already exist: | |||
| - the existing certificate must not be NOC certificate | |||
| - the sender's VID must match the `vid` field of the existing certificates. | |||
| - the sender's VID must match the VID of the existing certificate's owner. | |||
| - the signature (self-signature) and expiration date are valid. | |||
There was a problem hiding this comment.
We can't have self-signature for Intermediate/Leaf certs
docs/transactions.md
Outdated
| @@ -903,8 +906,6 @@ The certificate is not reject until sufficient number of Trustees reject it. | |||
| Adds an intermediate or leaf X509 certificate signed by a chain of certificates which must be | |||
There was a problem hiding this comment.
I think it would be great to add some description to distinguish these certificates from NOC/ICA certificates.
| @@ -827,13 +827,14 @@ will be in a pending state until sufficient number of approvals is received. | |||
|
|
|||
| The certificate is immutable. It can only be revoked by either the owner or a quorum of Trustees. | |||
|
|
|||
There was a problem hiding this comment.
What if we rename the commands as follows:
X509 PKI
Device Attestation Certificates (DA)
PROPOSE_ADD_PAA
APPROVE_ADD_PAA
REJECT_ADD_PAA
PROPOSE_REVOKE_PAA
APPROVE_REVOKE_PAA
ASSIGN_VID_TO_PAA
ADD_REVOCATION_DISTRIBUTION_POINT
UPDATE_REVOCATION_DISTRIBUTION_POINT
DELETE_REVOCATION_DISTRIBUTION_POINT
ADD_PAI
REVOKE_PAI
REMOVE_PAI
GET_REVOCATION_DISTRIBUTION_POINT
GET_REVOCATION_DISTRIBUTION_POINT_BY_SKID
GET_ALL_REVOCATION_DISTRIBUTION_POINT
GET_PROPOSED_PAA
GET_REJECTED_PAA
GET_PROPOSED_REVOKE_PAA
GET_ALL_PAA
GET_ALL_REVOKED_PAA
GET_ALL_PROPOSED_PAA
GET_ALL_REJECTED_PAA
GET_ALL_PROPOSED_REVOKE_PAA
E2E (NOC)
ADD_NOC_ROOT
REVOKE_NOC_ROOT
ADD_NOC_ICA
GET_NOC_ROOT_BY_VID
GET_NOC_ICA_BY_VID
GET_REVOKED_NOC_ROOT
GET_ALL_NOC_ROOT
GET_ALL_NOC_ICA
GET_ALL_REVOKED_NOC_ROOT
Common
GET_CERT
GET_REVOKED_CERT
GET_CERTS_BY_SKID
GET_CERTS_BY_SUBJECT
GET_CHILD_CERTS
GET_ALL_CERTS
GET_ALL_REVOKED_CERTS
| - `pki/NOCCertificates/value/<VID>` | ||
| - `pki/ChildCertificates/value/<Certificate's Subject>/<Certificate's Subject Key ID>` | ||
| - CLI Command: | ||
| - `dcld tx pki add-noc-x509-cert --certificate=<string-or-path> --from=<account>` | ||
|
|
There was a problem hiding this comment.
Please rename NOC to NOC_ROOT and non-root NOC to NOC_ICA (in doc, code, state, CLI command).
There was a problem hiding this comment.
This will be implemented in a separate pull request.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
# Conflicts: # docs/transactions.md
docs/transactions.md
Outdated
|
|
||
| **Status: Implemented** | ||
|
|
||
| Proposes a new self-signed root certificate. | ||
| Proposes a new PAA certificate. |
There was a problem hiding this comment.
Please clarify that a PAA is a root self-signed certificate.
| ### REVOKE_NOC_X509_ROOT_CERT | ||
| > **_Note:_** Multiple certificates can refer to the same `<Certificate's Subject>:<Certificate's Subject Key ID>` combination. | ||
|
|
||
| #### REVOKE_PAI |
There was a problem hiding this comment.
Please add a clarification how it's different from REMOVE_PAI
|
|
||
| ### GET_ALL_SUBJECT_X509_CERTS | ||
| #### REMOVE_PAI |
There was a problem hiding this comment.
Please add a clarification how it's different from REVOKE_PAI
|
|
||
| ### GET_PKI_REVOCATION_DISTRIBUTION_POINTS_BY_SUBJECT_KEY_ID | ||
| #### REVOKE_NOC_ROOT |
There was a problem hiding this comment.
Please clarify that revoke here means soft-delete (revoke certificates can be queried)
| - CLI Command: | ||
| - `dcld tx pki add-noc-x509-cert --certificate=<string-or-path> --from=<account>` | ||
|
|
||
| #### REVOKE_NOC_ICA |
There was a problem hiding this comment.
Please clarify that revoke here means soft-delete (revoke certificates can be queried)
| - REST API: | ||
| - GET `/dcl/pki/revoked-certificates/{subject}/{subject_key_id}` | ||
|
|
||
| #### GET_CERTS_BY_SKID |
There was a problem hiding this comment.
Please clarify that it works for all types of certificates (PAA, PAI, NOC_ROOT, NOC_ICA).
| - REST API: | ||
| - GET `/dcl/pki/certificates?subjectKeyId={subjectKeyId}` | ||
|
|
||
| #### GET_CERTS_BY_SUBJECT |
There was a problem hiding this comment.
Please clarify that it works for all types of certificates (PAA, PAI, NOC_ROOT, NOC_ICA).
| - REST API: | ||
| - GET `/dcl/pki/certificates/{subject}` | ||
|
|
||
| #### GET_CHILD_CERTS |
There was a problem hiding this comment.
Please clarify that it works for all types of certificates (PAA, PAI, NOC_ROOT, NOC_ICA).
| - REST API: | ||
| - GET `/dcl/pki/child-certificates/{subject}/{subject_key_id}` | ||
|
|
||
| #### GET_ALL_CERTS |
There was a problem hiding this comment.
Please clarify that it returns all certificates (PAA, PAI, NOC_ROOT, NOC_ICA).
| - REST API: | ||
| - GET `/dcl/pki/certificates` | ||
|
|
||
| #### GET_ALL_REVOKED_CERTS |
There was a problem hiding this comment.
Please clarify that it returns all revoked certificates (PAA, PAI, NOC_ROOT, NOC_ICA).
No description provided.