openscreenprotocol icon indicating copy to clipboard operation
openscreenprotocol copied to clipboard

Published 20 hours ago verified publisher icon w3c

Add an algorithm for setting the agent certificate serial number

Open markafoltz opened this issue 3 years ago • 1 comments

This addresses Issue #276: Agent Certificate has a circular dependency on itself

We can't use the certificate fingerprint as the serial number, because the serial number is embedded in the certificate itself.

X.509 requires every certificate from the same issuer to have a unique (not necessarily consecutive) serial number.

This PR adds a simple algorithm to generate a unique per-agent serial number per certificate. Even if an agent generates a new certificate once per hour, the counter would take almost 500,000 years to overflow :-P

Preview | Diff

markafoltz avatar Sep 07 '22 21:09 markafoltz

Feel free to review now in advance of TPAC.

markafoltz avatar Sep 07 '22 21:09 markafoltz

baylesj@, do you mind taking a look?

markafoltz avatar Mar 06 '23 20:03 markafoltz

PTAL @baylesj I suppose :)

anssiko avatar Mar 06 '23 20:03 anssiko

Is the same comment not relevant to the Subject Name? It is defined as CN = <fp>._openscreen._udp.

backkem avatar Sep 29 '23 09:09 backkem

The use of <fp> in the subject name is no issue? Is there a way to set this field after calculation of the fingerprint?

backkem avatar Oct 13 '23 05:10 backkem

Is the same comment not relevant to the Subject Name? It is defined as CN = <fp>._openscreen._udp.

Yes, that is also an issue, thank you for pointing that out. We won't be able to close Issue #276 until we address that.

markafoltz avatar Jan 22 '24 19:01 markafoltz

PTAL @baylesj, I will have to come up with a separate proposal to fix the subject name.

markafoltz avatar Jan 22 '24 19:01 markafoltz

Went ahead and merged this as comments have been addressed. Please let me know if there are other comments @baylesj

markafoltz avatar Feb 28 '24 17:02 markafoltz