Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gnoi cert.proto: Need clarity on certificate validation during install and rotate #86

Open
Devendra-Vamsi opened this issue Jul 15, 2022 · 1 comment
Assignees
Labels

Comments

@Devendra-Vamsi
Copy link

Section "Validate installed certificate" from page https://github.com/openconfig/gnoi/blob/master/docs/simplified_security_model.md#validate-installed-certificate insists that the target device needs to verify the new certificate(let's say ee-cert1) being installed with a CA cert(let's say ca-cert1) in the CA pool.

  1. Is the target device guaranteed to be provided with that CA cert(ca-cert1) from the gNOI client beforehand?
  2. If the CA cert(ca-cert1) is not present or if the certificate(ee-cert1) verification fails with CA cert(ca-cert1), should the target device fail the install RPC?
  3. Is the expected behavior applicable for rotate() RPC as well?
@samribeiro
Copy link
Member

  1. yes, either via a previous gNOI install using the ca_certificates field (https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L303)
    or during the same install using the same field, or via another mechanism that is not gNOI;

  2. yes;

  3. yes;

@samribeiro samribeiro self-assigned this Jul 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants