View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009328 | 10000-012: Discovery | Spec | public | 2023-12-21 21:00 | 2024-05-07 16:04 |
Reporter | Jack Visoky | Assigned To | Randy Armstrong | ||
Priority | normal | Severity | major | Reproducibility | sometimes |
Status | closed | Resolution | duplicate | ||
Product Version | 1.05.02 | ||||
Summary | 0009328: UpdateCertificate method has no way to include a CRL | ||||
Description | The UpdateCertificate method, as defined in Party 12, has no way of including a CRL. A stack following the specification exactly will not allow this method to actually update a certificate because it cannot be verified. A CRL could be loaded separately, but one of the use cases described for UpdateCertificate is for a new certificate based on a new signing request, in which case there would not be a previous CRL. A simple fix would be to include a parameter for a CRL in this method. | ||||
Steps To Reproduce | See above. | ||||
Tags | No tags attached. | ||||
Commit Version | |||||
Fix Due Date | |||||
duplicate of | 0009247 | closed | Randy Armstrong | Definition of "normal integrity checks" for the ServerConfiguration.UpdateCertificate method |
|
The GDS is expected to update the trustlist first with the CA and the new CRL. If the UpdateCertificate is missing a CRL needed to validate the new cert it should return applyChangesRequired=true and check if the CRL was uploaded as a separate operation. |
|
Regarding this issue which was discussed today (Jan 10, 2024) in the Security WG meeting. I spoke with an engineer at my company on this and got a little more clarity. The proposed workflow of updating the [1:06 PM] Randy Armstrong (OPC) |
|
The Server shall follow the validation process defined in OPC 10000-4 on the Certificate and all of the issuer Certificates. If errors occur the Bad_SecurityChecksFailed error is returned. Note that the validation process requires that the TrustList associated with the CertificateGroup already contain the Issuer Certificates and their CRLs or that the issuers support online CRL checks. |
|
Agreed to dup in web meeting. |
Date Modified | Username | Field | Change |
---|---|---|---|
2023-12-21 21:00 | Jack Visoky | New Issue | |
2023-12-21 22:25 | Randy Armstrong | Assigned To | => Randy Armstrong |
2023-12-21 22:25 | Randy Armstrong | Status | new => resolved |
2023-12-21 22:25 | Randy Armstrong | Resolution | open => no change required |
2023-12-21 22:25 | Randy Armstrong | Note Added: 0020547 | |
2024-01-10 23:31 | Randy Armstrong | Status | resolved => assigned |
2024-01-10 23:31 | Randy Armstrong | Note Added: 0020605 | |
2024-03-03 09:42 | Randy Armstrong | Relationship added | duplicate of 0009247 |
2024-03-03 09:43 | Randy Armstrong | Status | assigned => resolved |
2024-03-03 09:43 | Randy Armstrong | Resolution | no change required => duplicate |
2024-03-03 09:43 | Randy Armstrong | Note Added: 0020890 | |
2024-05-07 16:04 | Jim Luth | Status | resolved => closed |
2024-05-07 16:04 | Jim Luth | Note Added: 0021171 |