Skip to content

Commit

Permalink
reword "allowed"
Browse files Browse the repository at this point in the history
  • Loading branch information
@nicorusti
nicorusti committed Jun 13, 2024
1 parent 020591c commit 7a27487
Showing 1 changed file with 5 additions and 13 deletions.
18 changes: 5 additions & 13 deletions draft-dekater-scion-pki.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -482,18 +482,14 @@ The recommended **maximum validity period** of a sensitive voting certificate is

All certificates used in the SCION control-plane PKI are X.509 v3 certificates. However, the SCION specification is in some places more restrictive. This section defines these additional constraints and conditions compared to {{RFC5280}} for each type of SCION control-plane PKI certificate.

**Note**: The settings for the SCION-specific constraints and conditions are based on the SCION open-source implementation [scionproto](https://github.com/scionproto/scion/). Adjusting these settings to the requirements of a customer implementation may be possible and is allowed.

### Basic Fields: SCION-Specific Constraints and Conditions

This section briefly describes the fields of the SCION control-plane PKI certificates based on X.509. These fields are relevant for each SCION certificate used in the control plane, regardless of the certificate type. For detailed descriptions of the full generic format of X.509 v3 certificates, see {{RFC5280}} and [X509](https://handle.itu.int/11.1002/1000/13031), clause 7.2. Additionally, the section lists the SCION-specific constraints and conditions compared to {{RFC5280}}, per certificate field.

`TBSCertificate` sequence: Contains information associated with the subject of the certificate and the CA that issued it. It includes the following fields:

- `version` field: Describes the version of the encoded certificate.

- **SCION constraints**: "v1" and "v2" are not allowed.
- **Additional conditions and remarks**: MUST be set to "v3" (as extensions are used and mandatory in SCION).
- `version` field: Describes the version of the encoded certificate. It MUST be set to "v3" (as extensions are used and mandatory in SCION).

- `serialNumber` field: A positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA.
- `signature` field: Contains the identifier for the algorithm used by the CA to sign the certificate.
Expand Down Expand Up @@ -528,13 +524,9 @@ This section briefly describes the fields of the SCION control-plane PKI certifi

- **SCION constraints**: For constraints regarding the algorithm, see the `signature` field.

- `issuerUniqueID` field: If set, it enables reusing the issuer name over time.

- **SCION constraints**: This field is disallowed in SCION and MUST NOT be used.

- `subjectUniqueID` field: If set, it enables reusing the subject name over time.
- `issuerUniqueID` field: it MUST NOT be used.

- **SCION constraints**: This field is disallowed in SCION and MUST NOT be used.
- `subjectUniqueID` field: it MUST NOT be used.

- `extensions` sequence: Defines the extensions of the certificate. For a description of all extensions used in SCION, see [](#exts).

Expand Down Expand Up @@ -712,7 +704,7 @@ The `basicConstraints` extension specifies whether the certificate subject may a
The `basicConstraints` extension includes the following attributes relevant for SCION:

- `cA` attribute: Specifies whether the certificate subject may act as a CA. If yes, this attribute MUST be set to TRUE.
- `pathLenConstraint` attribute: This attribute is only relevant if the `cA` attribute is set to TRUE. It specifies the maximum number of CA certificates that may follow this CA certificate in the certification chain. Value "0" means that this CA may only issue end-entity certificates, but no CA certificates. If the attribute is not set, there is no limit to the allowed length of the certification path.
- `pathLenConstraint` attribute: This attribute is only relevant if the `cA` attribute is set to TRUE. It specifies the maximum number of CA certificates that may follow this CA certificate in the certification chain. Value "0" means that this CA may only issue end-entity certificates, but no CA certificates. If the attribute is not set, there is no limit to the maximum length of the certification path.

The settings of the `basicConstraints` extension differ for each SCION control-plane PKI certificate type. The next table shows the specifications per certificate type.

Expand Down Expand Up @@ -935,7 +927,7 @@ The value of the `gracePeriod` field in a base TRC MUST be zero. The value of th

##### `noTrustReset` Boolean {#notrustreset}

The `noTrustReset` Boolean specifies whether a trust reset is forbidden by the ISD. Within a TRC update chain, this value CANNOT be changed by a regular or sensitive update. However, it is possible to change the `noTrustReset` value in the event of a trust reset, where a new base TRC is created.
The `noTrustReset` Boolean specifies whether a trust reset is forbidden by the ISD. Within a TRC update chain, this value MUST NOT be changed by a regular or sensitive update. However, it is possible to change the `noTrustReset` value in the event of a trust reset, where a new base TRC is created.

The `noTrustReset` field is optional and defaults to FALSE.

Expand Down

0 comments on commit 7a27487

Please sign in to comment.