View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000932810000-012: DiscoverySpecpublic2023-12-21 21:002024-05-07 16:04
ReporterJack Visoky Assigned ToRandy Armstrong  
PrioritynormalSeveritymajorReproducibilitysometimes
Status closedResolutionduplicate 
Product Version1.05.02 
Summary0009328: UpdateCertificate method has no way to include a CRL
Description

The UpdateCertificate method, as defined in Party 12, has no way of including a CRL. A stack following the specification exactly will not allow this method to actually update a certificate because it cannot be verified. A CRL could be loaded separately, but one of the use cases described for UpdateCertificate is for a new certificate based on a new signing request, in which case there would not be a previous CRL. A simple fix would be to include a parameter for a CRL in this method.

Steps To Reproduce

See above.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

duplicate of 0009247 closedRandy Armstrong Definition of "normal integrity checks" for the ServerConfiguration.UpdateCertificate method 

Activities

Randy Armstrong

2023-12-21 22:25

administrator   ~0020547

The GDS is expected to update the trustlist first with the CA and the new CRL.

If the UpdateCertificate is missing a CRL needed to validate the new cert it should return applyChangesRequired=true and check if the CRL was uploaded as a separate operation.

Randy Armstrong

2024-01-10 23:31

administrator   ~0020605

Regarding this issue which was discussed today (Jan 10, 2024) in the Security WG meeting. I spoke with an engineer at my company on this and got a little more clarity. The proposed workflow of updating the
TrustList
first and then provisioning the
Certificate
is perfectly fine. However, the issue/question is regarding the text in Part 12. In Part 12, the
UpdateCertificate
method has a parameter "issuerCertificates", with the description "The issuer
Certificates
needed to verify the signature on the new
Certificate
". This implies that rather than using an existing
TrustList
this parameter is used to verify the
Certificate
, in which case we have this problem of not having a CRL. So I think if we want to use the workflow where an existing
TrustList
verifies the
Certificate
then we should update the spec to be clear about that.

[1:06 PM] Randy Armstrong (OPC)
The issuers argument should be deprecated with text indicating the transaction approach

Randy Armstrong

2024-03-03 09:43

administrator   ~0020890

The Server shall follow the validation process defined in OPC 10000-4 on the Certificate and all of the issuer Certificates. If errors occur the Bad_SecurityChecksFailed error is returned. Note that the validation process requires that the TrustList associated with the CertificateGroup already contain the Issuer Certificates and their CRLs or that the issuers support online CRL checks.

Jim Luth

2024-05-07 16:04

administrator   ~0021171

Agreed to dup in web meeting.

Issue History

Date Modified Username Field Change
2023-12-21 21:00 Jack Visoky New Issue
2023-12-21 22:25 Randy Armstrong Assigned To => Randy Armstrong
2023-12-21 22:25 Randy Armstrong Status new => resolved
2023-12-21 22:25 Randy Armstrong Resolution open => no change required
2023-12-21 22:25 Randy Armstrong Note Added: 0020547
2024-01-10 23:31 Randy Armstrong Status resolved => assigned
2024-01-10 23:31 Randy Armstrong Note Added: 0020605
2024-03-03 09:42 Randy Armstrong Relationship added duplicate of 0009247
2024-03-03 09:43 Randy Armstrong Status assigned => resolved
2024-03-03 09:43 Randy Armstrong Resolution no change required => duplicate
2024-03-03 09:43 Randy Armstrong Note Added: 0020890
2024-05-07 16:04 Jim Luth Status resolved => closed
2024-05-07 16:04 Jim Luth Note Added: 0021171