-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent Certificate has a circular dependency on itself #276
Comments
We also need to fix the certificate subject name not to refer to the certificate fingerprint. |
Regarding the subject name, similarly replacing it with the serial number could look as follows:
This keeps the 1:1 relation between server name and certificate. It don't think it impacts the certificate validation based on the fingerprint. That being said, I may have missed some of the original considerations put into the current spec. If someone can validate that, I'm happy to do the writeup and send a PR for review. |
It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message. However, the model-name information is exchanged during the metadata phase which happens after the connection. Is there something wrong with my understanding? |
My interpretation of this is that it's the model name of the agent creating the certificate itself, meaning the model name as it is also added to the agent-info message; not the model name as is received from the remote agent. Can someone confirm/deny this? If my interpretation is correct, we may want to rephrase this to avoid any confusion. |
That sounds like a great approach. bakkem@, do you have the capacity to put up a proposed PR that implements that? |
This should be same as the the The entire Issuer Name field is mostly for debugging purposes as the certificates are self-signed. |
I will start with the spec changes. Afterwards I may look at the C implementation. My Go implementation already does this as the spec was implementable otherwise 😅 |
I just remembered there is another precedent for this set by WebRTC's local ICE candidates:
I'm not sure if the added entropy would be warranted in our case. |
This resolves the circular dependency in agent certificate fingerprint. Resolves w3c#276
This resolves the circular dependency in agent certificate fingerprint. Resolves w3c#276
Thanks, this makes sense to me. |
This resolves the circular dependency in agent certificate fingerprint. Resolves w3c#276
The value
fp
is defined as:openscreenprotocol/index.bs
Lines 285 to 291 in 5488c7b
Agent Certificate then follows, with the definition at:
openscreenprotocol/index.bs
Lines 354 to 417 in 5488c7b
The issue is that the certificate Serial Number field makes use of
fp
, as described atopenscreenprotocol/index.bs
Lines 385 to 388 in 5488c7b
The problem is that
fp
is computed over the certificate, so one cannot computefp
apriori to include within the certificate, and any inclusion within the certificate would naturally change the derived fingerprint.The text was updated successfully, but these errors were encountered: