0010309: User Token – X509 Certificate Client Facet not needed in UAFX ConnectionManager Client Facet

ID	Project	Category	View Status	Date Submitted	Last Update

0010309	Part 84: UAFX Profiles	Spec	public	2025-04-28 19:27	2025-06-18 18:34

Reporter	Jan Murzyn	Assigned To	Bob Lattimer
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Target Version	1.00.03	Fixed in Version	1.00.03

Summary	0010309: User Token – X509 Certificate Client Facet not needed in UAFX ConnectionManager Client Facet
Description	⦁ Connection Manager shall not need to use user-level authentication. According to Part 81, ConnectionAdmin Role “is intended to be a non-human Role.” As a non-human Role it will be typically bound to CM application (application certificate), not to the user. ⦁ I think this facet should be removed from here, or at least become optional. ⦁ This was discussed in the Prototyping WG meeting on 2025/01/30 and everyone agreed that it's irrelevant. Additionally, it was pointed out, that if it were to stay here as mandatory, we would need some additional parameter in the CCS, to tell the CM which user account to use when connecting to the AC.
Tags	No tags attached.

Bob Lattimer 2025-05-14 13:33 developer ~0022739	Discussed during the 5/14/2025 AWG meeting. A ConnectionManager may use an application certificate, but doesn't require a User certificate. This could be a security issue and should be discussed wth the Security WG before making a final decision. David Smith will discuss this with the Security WG, and we will discuss this at the F2F meeting in Esslingen in June.

Greg Majcher 2025-06-04 13:20 manager ~0022955	Assigned to David Smith and the Security WG

David_Andover Smith 2025-06-11 19:34 reporter ~0023005	Response from Randy Armstrong on proper behavior of non-human client connecting to server: Clients should never use their application certificate as a ‘user certificate’. “User certificates” are intended to identify humans not applications. If a “User certificate” does not identify a human it better be a different certificate than the application certificate. The proper way to use application authentication is to use the Anonymous UserIdentity. I agree with Jan, the "Certificate Client Facet" can be removed from the Connection Manager Client Facet

Bob Lattimer 2025-06-17 22:08 developer ~0023022	The Facet was removed from the UAFX ConnectionManager Client 2024 Facet. The Profile Database is also updated.

Date Modified	Username	Field	Change
2025-04-28 19:27	Jan Murzyn	New Issue
2025-05-14 13:33	Bob Lattimer	Note Added: 0022739
2025-06-04 13:20	Greg Majcher	Status	new => assigned
2025-06-04 13:20	Greg Majcher	Note Added: 0022955
2025-06-04 13:22	Greg Majcher	Target Version	=> 1.00.03
2025-06-11 14:39	Bob Lattimer	Assigned To	=> Bob Lattimer
2025-06-11 19:34	David_Andover Smith	Note Added: 0023005
2025-06-17 22:08	Bob Lattimer	Status	assigned => resolved
2025-06-17 22:08	Bob Lattimer	Resolution	open => fixed
2025-06-17 22:08	Bob Lattimer	Fixed in Version	=> 1.00.03
2025-06-17 22:08	Bob Lattimer	Note Added: 0023022
2025-06-18 18:34	Kenneth Lee	Status	resolved => closed