View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006035Compliance Test Tool (CTT) Unified Architecture3 - Feature Requestpublic2020-09-17 15:472022-08-18 14:42
ReporterJim Luth Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version1.04 
Summary0006035: Add clarifications regarding certificate replacement to 6.7 Re-establishing connections
Description

Based on further discussion in BSI-OPC UA Security WG Taskforce:

We should describe the concrete status code Bad_CertificateInvalid that indicates the server certificate change.

We should also describe the client certificate change. Maybe create even a sub chapter. We clarified TransferSubscription but we do not state any detail here.

TagsNo tags attached.
Files Affected

Relationships

related to 0006024 closedMatthias Damm 10000-004: Services Add clarifications regarding certificate replacement to 6.7 Re-establishing connections 

Activities

Matthias Damm

2020-09-17 15:47

reporter   ~0012921

6.7 Re-establishing connections

Replaced:
Re-establishing the connection by creating a new SecureChannel may be rejected, because of a new Server Application Instance Certificate or other security errors. In case of security failures, the Client shall use the GetEndpoints Service to fetch the most up to date security information from the Server
With:
Re-establishing the connection by creating a new SecureChannel may be rejected, because of a new Server Application Instance Certificate or other security errors. OpenSecureChannel returns Bad_CertificateInvalid in the case of a new Server Application Instance Certificate. In case of security failures, the Client shall use the GetEndpoints Service to fetch the most up to date security information from the Server.
If the Client Application Instance Certificate is updated, the Client must create a new Session since the Session does not allow a update of the Client Application Instance Certificate. The Client shall try to transfer existing Subscriptions to the new Session. Transfer subscription must be accepted by a Server even for Anonymous user if the Client does not change i.e. the ApplicationUri of the Client does not change.

Updated in OPC 10000-4 - UA Specification Part 4 - Services 1.05.0 Draft11.docx

Paul Hunkar

2020-10-02 16:06

administrator   ~0013013

This will need to be split to client and server side and possibly new testcase and scripts depending on how many issue we want to create

Paul Hunkar

2020-10-15 16:33

administrator   ~0013060

We need to add a test cases for the client changing the certificate it is using (with the transfer) , we also need to investigate what other test cases we need to add (client side and Server side) - issue might be further split

Issue History

Date Modified Username Field Change
2020-09-17 15:47 Jim Luth New Issue
2020-09-17 15:47 Jim Luth Issue generated from: 0006024
2020-09-17 15:47 Jim Luth Note Added: 0012921
2020-09-17 15:47 Jim Luth Relationship added related to 0006024
2020-09-17 15:47 Jim Luth Project 10000-004: Services => Compliance Test Tool (CTT) Unified Architecture
2020-09-17 15:47 Jim Luth Category Spec => Api Change
2020-10-02 16:06 Paul Hunkar Note Added: 0013013
2020-10-15 16:33 Paul Hunkar Category Api Change => 3 - Feature Request
2020-10-15 16:33 Paul Hunkar Note Added: 0013060
2020-10-15 16:34 Paul Hunkar Status new => acknowledged
2022-08-18 14:42 Paul Hunkar Assigned To => Paul Hunkar
2022-08-18 14:42 Paul Hunkar Status acknowledged => assigned