docs: cryptography fix, refactor and refer to draft#4933
Conversation
romshark
force-pushed
the
docs-cryptography-fix-and-refer-to-draft
branch
from
2840b6a to
f8572ad
Compare
tzaeschke
left a comment
tzaeschke
left a comment
There was a problem hiding this comment.
I think we need to clarify what the intention of this document is.
I think the intention should be to give the reader a good understanding of how it works. The details can be left to the spec.
Currently the document seems a bit confused, some things are mentioned multiple times, e.g. sensitive vs regular updates and that the former concern policy and quorum). Other things are not mentioned at all anymore, like who is actually voting on these updates and what quorum and policy mean.
Basically, I would keep most of the text and remove only normative language and code blocks.
| All constraints in :ref:`general-certificate-requirements` apply to **CP Root Certificates**. | ||
| **CP Root Certificates** state which ASes are CA ASes for an ISD. They are | ||
| self-signed CA certificates owned by CA ASes, and are embedded in TRCs to | ||
| bootstrap trust (see the :doc:`TRC Specification <trc>`). Their full profile — |
| (``issuer`` and ``subject`` are the same entity). They are owned by CA ASes. | ||
|
|
||
| **CP CA Certificates** are signed by **CP Root Certificates**. | ||
| **CP CA Certificates** are used by CA ASes to sign **CP AS Certificates**. They |
There was a problem hiding this comment.
Remove "-"?
Also, this paragraph seems like an exact copy of the previous section (replacing some keywords only).
| AttributeValue ::= ANY | ||
|
|
||
| SignatureValue ::= OCTET STRING | ||
| ================= |
There was a problem hiding this comment.
| ================= | |
| ================= | |
| ----------------- |
Not sure this should be a new Chapter?
| are specified in `Certification Path — Trust Anchor Pool | ||
| <https://www.ietf.org/archive/id/draft-dekater-scion-pki-13.html#name-certification-path-trust-an>`_. | ||
|
|
||
| Voting Certificate |
There was a problem hiding this comment.
This section doesn't appear to contain any(much) new information, maybe merge it with TRC Update above?
| implies, that the signer infos can be reordered without affecting verification. | ||
|
|
||
| **Two TRCs are equal, if and only if their payloads are byte equal.** | ||
| Two TRCs are equal if and only if their payloads are byte-equal; this is sufficient |
There was a problem hiding this comment.
This section doesn't explain why equality is relevant and discussed here. Maybe just keep the old text?
| votes are cast by a **Sensitive Voting Certificate**. In both cases, the relying | ||
| party checks that all signatures are verifiable, and no superfluous signatures | ||
| are attached. | ||
| A TRC update is either a **regular update** (routine re-issuance with unchanged |
There was a problem hiding this comment.
I think we should keep the text about base numbers increments etc. This is important for the understanding how this works.
| .. _trc-format: | ||
|
|
||
| TRC Format | ||
| ========== |
There was a problem hiding this comment.
I think much of the text in this section is actually useful, e.g. explaining authorative ASes, Voting ASes, core ASes. See my general comment.
There was a problem hiding this comment.
+1, I think here it could be useful to add figure 1 or 2 from the PKI draft, since it gives the reader a quick overview
"MUST reject cryptographic algorithms not found on the list" is wrong.
Cryptography:In the main page (Cryptography), have a brief paragraph explaining the purpose of it and scionproto's relation to the draft, something like:
Certificate Specification
TRC
Leaving more comments on the change directly |
|
|
||
| This document contains the specification for **Control Plane (CP) Root | ||
| Certificates**, **CP CA Certificates** and **CP AS Certificates**. | ||
| SCION uses three types of X.509 v3 **Control Plane (CP) certificates** that build |
There was a problem hiding this comment.
Four, there are also Voting Certificates.
There was a problem hiding this comment.
Additionally, SCION uses two **voting certificates** - the *sensitive voting
certificate* and the *regular voting certificate* - which carry the keys that
cast votes in the TRC update process (see the :doc:`TRC Specification <trc>`).How about appending that after the list of CP certs?
There was a problem hiding this comment.
I've applied this for now, but let me know whether it's good.
| - **CP Root Certificate** — a self-signed CA certificate, owned by a CA AS and | ||
| embedded in a TRC, that signals which ASes may act as certificate authorities in | ||
| an ISD. | ||
| - **CP CA Certificate** — used by a CA AS to sign CP AS certificates. |
There was a problem hiding this comment.
IN the draft, we call them Issuing CA certificates. Not sure if you wan to align or not
|
|
||
| .. _cp-root-certificate: | ||
|
|
||
| CP Root Certificate |
There was a problem hiding this comment.
Maybe this paragraph could go in the bullets in the introduction?
(same for CP CA Certificate and CP AS Certificate)
| Certificate | ||
| <https://www.ietf.org/archive/id/draft-dekater-scion-pki-13.html#name-control-plane-root-certific>`_. | ||
|
|
||
| The recommended maximum validity period of a **CP Root certificate** is 1 year. |
There was a problem hiding this comment.
Maybe in the intro you could mention that PKI relies on short-lived certificates, and that the recommended max validity is in the draft Table 2: Certificates
| verifiable at time of use. We cannot simply rely on them being verified on | ||
| insert, since TRC updates that change the root key can invalidate a certificate | ||
| chain. | ||
| Most SCION control-plane messages (for example, each AS's hop information in a path |
There was a problem hiding this comment.
MostSCION control-plane messages .. are signed
I think they are all signed
There was a problem hiding this comment.
Are ChainsRequest and ChainsResponse signed?
| Cryptographic Material | ||
| <https://scionassociation.github.io/scion-cp_I-D/draft-dekater-scion-controlplane.html#name-distribution-of-cryptograph>`_. | ||
|
|
There was a problem hiding this comment.
There is also another section: 2.5. Renewal of Cryptographic Material
| Query: ISD | ||
| Response: ISD, serial number, base number, signature | ||
|
|
||
| The requester asks what the latest TRC for a given ISD known to the requestee |
There was a problem hiding this comment.
I think all the text below could be removed, and you could have just a little bit of text above explaining key interactions, then pointing to the spec for the RPCs.
| The TRC payload is a DER-encoded container holding the ISD's policy fields and the | ||
| set of self-signed certificates that anchor trust for the ISD. Its schema, fields | ||
| and the constraints on the certificate set are specified in `TRC Fields | ||
| <https://www.ietf.org/archive/id/draft-dekater-scion-pki-13.html#name-trc-fields>`_. |
There was a problem hiding this comment.
I would specifically link its fields, but also its ASN.1 module in the appendix.
3 participants
Instead of duplicating info on doc pages - simplify and refer to IETF drafts; specifically HTML in the latest version (currently 13: https://www.ietf.org/archive/id/draft-dekater-scion-pki-13.html)
Docs are giving a big picture introduction and leave the details to the actual spec.
This also fixes incorrect docs: