gnoi icon indicating copy to clipboard operation
gnoi copied to clipboard
verified publisher icon openconfig

gnoi cert.proto: Need clarity on certificate validation during install and rotate

Open Devendra-Vamsi opened this issue 3 years ago • 1 comments

Section "Validate installed certificate" from page https://github.com/openconfig/gnoi/blob/master/docs/simplified_security_model.md#validate-installed-certificate insists that the target device needs to verify the new certificate(let's say ee-cert1) being installed with a CA cert(let's say ca-cert1) in the CA pool.

  1. Is the target device guaranteed to be provided with that CA cert(ca-cert1) from the gNOI client beforehand?
  2. If the CA cert(ca-cert1) is not present or if the certificate(ee-cert1) verification fails with CA cert(ca-cert1), should the target device fail the install RPC?
  3. Is the expected behavior applicable for rotate() RPC as well?

Devendra-Vamsi avatar Jul 15 '22 18:07 Devendra-Vamsi

  1. yes, either via a previous gNOI install using the ca_certificates field (https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L303) or during the same install using the same field, or via another mechanism that is not gNOI;

  2. yes;

  3. yes;

samribeiro avatar Jul 20 '22 14:07 samribeiro