View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006940Compliance Test Tool (CTT) Unified Architecture3 - Feature Requestpublic2021-05-11 15:412022-08-18 14:29
ReporterJim Luth Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version1.04 
Summary0006940: IdentityMappingType THUMBPRINT_2
Description

This criterieType is the only available for X509 user certificates.
However the thumbprint of a certificate is "only" a hash, which changes whenever a certificate is renewed.
So if any user certificate is renewed the "identities" of the Roles have to be adapted.
It is very unlikely that the hashes of 2 certifiactes are equal, but at least in theory it can happen.

The "real" information of a user certificate is the subject, where the user name shall be stored.
The subject is also used for "ClientUserId" of the AuditEventType.

I would suggest to add a new criteriaType (e.g. SUBJECT_7) which can be used for X509 certificates (or its CA).

TagsNo tags attached.
Files Affected

Relationships

related to 0005836 closedMatthias Damm 10000-018: Role-Based Security IdentityMappingType THUMBPRINT_2 

Activities

Jeff Harding

2021-05-11 15:41

reporter   ~0014347

Need to reassign this to Part 18

Matthias Damm

2021-05-11 15:41

reporter   ~0014348

I got the following (similar) feedback from my colleagues:

The string representation of the Thumbprint is not defined.
A HEX representation is assumed but we need to define also if the letters are upper case or lower case.

But even if the string format would be defined, this needs to be updated always when the certificate is updated.

It would not be possible to separate trust list management from identity mapping.

We should have another criteriaType CommonName

Matthias Damm

2021-05-11 15:41

reporter   ~0014349

Added clarification to
4.4.3 IdentityMappingRuleType
The thumbprint shall be encoded as hexadecimal numbers with upper case characters and without spaces.

Added new type to
Table 8 – IdentityCriteriaType Values
SubjectName
8
The rule specifies the Common Name (CN) of a User or CA Certificate.

Added in
OPC 10000-18 - UA Specification Part 18 - Role-Based Security 1.05.0 Draft7.docx

Paul Hunkar

2021-05-13 14:47

administrator   ~0014371

Part of Adding roles to testing

Issue History

Date Modified Username Field Change
2021-05-11 15:41 Jim Luth New Issue
2021-05-11 15:41 Jim Luth Issue generated from: 0005836
2021-05-11 15:41 Jim Luth Note Added: 0014347
2021-05-11 15:41 Jim Luth Note Added: 0014348
2021-05-11 15:41 Jim Luth Note Added: 0014349
2021-05-11 15:41 Jim Luth Relationship added related to 0005836
2021-05-11 15:42 Jim Luth Project 10000-018: Role-Based Security => Compliance Test Tool (CTT) Unified Architecture
2021-05-11 15:42 Jim Luth Category Spec => Api Change
2021-05-13 14:47 Paul Hunkar Category Api Change => 3 - Feature Request
2021-05-13 14:47 Paul Hunkar Assigned To => Paul Hunkar
2021-05-13 14:47 Paul Hunkar Status new => acknowledged
2021-05-13 14:47 Paul Hunkar Note Added: 0014371
2022-08-18 14:29 Paul Hunkar Status acknowledged => assigned