Clarify in Part 4 expected behavior when a Cert is renewed.

Needs 1.04 Errata.

Just a comment on your discussion to my issue:

Part 12 states for applyChanges

If the Server Certificate has changed, Secure Channels using the old Certificate will eventually be interrupted. The only leeway the Server has is with the timing. In the best case, the Server can close the TransportConnections for the affected Endpoints and leave any Subscriptions intact. This should appear no different than a network interruption from the perspective of the Client. The Client should be prepared to deal with Certificate changes during its reconnect logic.

How can the subscriptions be kept intact if we have to kill the session ?

Need to recommend that client certificate changes should behave like a redundant client failover where a new session is created and the subscriptions are transferred.

The problem is that TransferSubscription is optional and only works if the user is the same (does not work with anonymous used with headless clients)

ActivateSession:
We should allow a new Certificate if the ApplicationInstanceUri matches the previous certificate. With security activiated, the certificate must be trusted anyhow and the trust of applications with an ApplicationInstanceUri must already be handled right when managing the trust list.

TransferSubscription:
We should allow TransferSubscription if security is activated and the ApplicationInstanceUri is the same like the ApplicationInstanceUri of the old session.

For ActivateSession it does not help to allow new certificates with the same ApplicationInstanceUri since there is also a signature check for a signature created by the client with the private key and checked with the public key provided in CreateSession. This check fails as soon as the client changes the private key. This is recomended when creating new certificates.

The only option I can see at the moment is an additional method that allows the change of the Client Certificate on an existing Session.

The only possible short term enhancement is the descibed clarification for TransferSubscription to make this more reliable.

If the client certificate is replaced, a new Session is required. There is no way around this.
The only thing we can do is to make TransferSubscription work for more combination for this case (allow Anonymous token if application stays the same).

Added following clarification to
OPC 10000-4 - UA Specification Part 4 - Services Draft 1.05.07.docx

5.13.7 TransferSubscriptions

Added:
If the Client uses an ANONYMOUS_0 user token, the Server shall validate if the ApplicationUri is the same for the old and the new Session and the MessageSecurityMode is SIGN_2 or SIGNANDENCRYPT_3.

Agreed to changes in Dallas meeting.