Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root certificates for Network Operational Credential (NOC) #524

Closed
ashcherbakov opened this issue Nov 10, 2023 · 3 comments
Closed

Root certificates for Network Operational Credential (NOC) #524

ashcherbakov opened this issue Nov 10, 2023 · 3 comments
Assignees
@akarabashov
Labels
enhancement New feature or request
Projects
DCL 1.4
Milestone
v1.4: DCL 1.4

Comments

@ashcherbakov
Copy link
Contributor

ashcherbakov commented Nov 10, 2023
edited by akarabashov
Loading

Root CA that NOCs chain up to.
It's similar to ROOT_CERT transactions (see https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#x509-pki), but they are managed (publish/revoke) by Vendors and do not require Trustee approval.

Acceptance Criteria:
@ashcherbakov ashcherbakov added this to the v1.3: DCL 1.3 milestone Nov 10, 2023
@ashcherbakov ashcherbakov added the enhancement New feature or request label Nov 21, 2023
@ashcherbakov ashcherbakov changed the title Schema for Network Operational Credential (NOC) Root certificates for Network Operational Credential (NOC) Dec 19, 2023
@ashcherbakov ashcherbakov mentioned this issue Dec 19, 2023
Closed
@ashcherbakov ashcherbakov added this to To do in DCL 1.4 Jan 4, 2024
@ashcherbakov ashcherbakov moved this from To do to In progress in DCL 1.4 Jan 4, 2024
@ashcherbakov
Copy link
Contributor Author

PR with Design: #529
There are open questions: https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/design/noc-root-cert-design.md#questions that needs to be discussed on the DCL TT call.

@ashcherbakov
Copy link
Contributor Author

ashcherbakov commented Jan 4, 2024
edited
Loading

Discussed the open questions on DCL TT call:

  • Should the vendor add a revocation distribution point for NOC certificates: NO, just revocation/remove (the same as for PAA Roots) is enough
  • Should the following queries return NOC Certificate?
    • GET_ALL_SUBJECT_X509_CERTS: YES
    • GET_ALL_X509_ROOT_CERTS: NO
    • GET_X509_CERT: YES
  • Should an additional field be added to the certificate schema to distinguish NOC certificates from common PAAs/PAIs: YES
  • Should a revoked NOC Root Certificate be stored in the revoked list, or should it be completely removed? TWO separate APIs: Remove (completely remove; needed in case of mistakes) and Revoke
  • if a NOC Root Certificate is revoked, should it be returned in the existing
    • GET_ALL_REVOKED_X509_ROOT_CERTS: NO
    • GET_REVOKED_CERT: YES

Other things to include/update design:

  • NOC certs are not VID-scoped (there is no VID field there)
  • When adding a NOC cert, need to check that there is no certificate with the same Subject+SKID already published by another vendor
  • A possibility to re-add removed NOC certificates
  • Intermediate certs (ICA) signed by NOC: can be published only by the Vendor who published the corresponding NOC
  • Need to update the docs/CLI calls names to distinguish between PAA/PAI and NOC/ICA certs. Need to do it in a compatible way.

Open questions:

  • Revocation distribution point for NOC Roots (to list revoked intermediate certificates signed by this NOC)
  • The current ADD_X509_CERT allows to add an Intermediate/leaf cert by any account as long as the cert is chained back to a PAA (Root) on the ledger. Do we need to keep this API or disable/modify it?

akarabashov added a commit that referenced this issue Feb 20, 2024
@akarabashov
Merge pull request #543 from zigbee-alliance/feature/524-adding-noc-r…
183290b 
…oot-certificate

#524 Implement adding and requesting root NOC certificates
Abdulbois added a commit that referenced this issue Mar 6, 2024
@Abdulbois
#524 Revocation of NOC root certificates
1fa370e 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 12, 2024
@Abdulbois
#524 Revocation of NOC root certificates
969438b 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 12, 2024
@Abdulbois
#524 Revocation of NOC root certificates
5eaf211 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
eb432ef 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
d9c724c 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
de60f9b 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
d234cde 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
4a923c5 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
5b3db60 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
0af9eb1 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
69aa8ee 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 13, 2024
@Abdulbois
#524 Revocation of NOC root certificates
bd7df90 
Enable revoking NOC Root certs

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
a665147 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
663e39a 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
3159dd9 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
4eb3d31 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
2b10f5e 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
1981ae6 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
53397b9 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 14, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
316c1a1 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
2763f34 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
6522d44 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
bb8407f 
Minor refactoring due to comments of PR

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
2c4e5e8 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
053a83e 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC certificates
a4f6a99 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
4aa9eab 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
akarabashov added a commit that referenced this issue Mar 15, 2024
@akarabashov
Merge pull request #550 from zigbee-alliance/#524-Revocation-of-NOC-r…
3decd8e 
…oot-certs

#524 Enable revocation of NOC root certificates
Abdulbois added a commit that referenced this issue Mar 15, 2024
@Abdulbois
Merge branch 'master' into #524-Enable-revocation-of-NOC-certs
f4d7477
Abdulbois added a commit that referenced this issue Mar 19, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
dbcb994 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 20, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
c897568 
Fix bug related to removing certs from subject-key-id map

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 20, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
8bb374c 
Fix bug related to removing certs from subject-key-id map

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 20, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
a0aa8a4 
Fix bug related to removing certs from subject-key-id map

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Mar 20, 2024
@Abdulbois
#524 Enable revocation of NOC non-root certificates
94b49be 
Fix bug related to removing certs from subject-key-id map

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
akarabashov added a commit that referenced this issue Mar 20, 2024
@akarabashov
Merge pull request #551 from zigbee-alliance/#524-Enable-revocation-o…
d7d8e06 
…f-NOC-certs

#524 Enable revocation of NOC non-root certificates
@akarabashov akarabashov moved this from In progress to Done in DCL 1.4 Apr 4, 2024
@akarabashov
Copy link
Collaborator

Implemented the addition (PR: #543) and revocation (PR: #550) of NOC ROOT certificates
Unit and integration tests are added
Docs are updated.

Abdulbois added a commit that referenced this issue Apr 26, 2024
@Abdulbois
#524 Enable removing NOC root certificates
6d5bd04 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Apr 26, 2024
@Abdulbois
#524 Enable removing NOC root certificates
3572362 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue Apr 27, 2024
@Abdulbois
Merge branch '#560-Enable-removing-ICA-certs' into #524-Enable-removi…
35a48cd 
…ng-NOC-root-certs
Abdulbois added a commit that referenced this issue May 2, 2024
@Abdulbois
Merge branch '#560-Enable-removing-ICA-certs' into #524-Enable-removi…
8287522 
…ng-NOC-root-certs
Abdulbois added a commit that referenced this issue May 2, 2024
@Abdulbois
#524 Enable removing NOC root certificates
5add744 
Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue May 6, 2024
@Abdulbois
Merge branch 'master' into #524-Enable-removing-NOC-root-certs
e9cd2e2
Abdulbois added a commit that referenced this issue May 6, 2024
@Abdulbois
Merge branch '#560-Enable-removing-ICA-certs' into #524-Enable-removi…
e2dcd2e 
…ng-NOC-root-certs

Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue May 6, 2024
@Abdulbois
Merge branch 'master' into #524-Enable-removing-NOC-root-certs
9d29610
Abdulbois added a commit that referenced this issue May 7, 2024
@Abdulbois
#524 Enable removing NOC root certificates
5bb90c7 
Refactor impl

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
Abdulbois added a commit that referenced this issue May 7, 2024
@Abdulbois
#524 Enable removing NOC root certificates
c9cb99b 
Refactor impl

Signed-off-by: Abdulbois <abdulbois.tursunov@dsr-corporation.com>
Signed-off-by: Abdulbois <abdulbois123@gmail.com>
akarabashov added a commit that referenced this issue May 8, 2024
@akarabashov
Merge pull request #568 from zigbee-alliance/#524-Enable-removing-NOC…
16f84f9 
…-root-certs

#524 Enable removing NOC root certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akarabashov akarabashov

Labels
enhancement New feature or request
Projects
DCL 1.4
Done
Milestone
v1.4: DCL 1.4
Development

No branches or pull requests
2 participants
@ashcherbakov @akarabashov