DDS-SECURITY 1.2 RTF Avatar
  1. OMG Issue

DDSSEC12 — Clarify the configuration and use of certificate chains for Identity

  • Key: DDSSEC12-48
  • Status: open  
  • Source: Real-Time Innovations ( Gerardo Pardo-Castellote)
  • Summary:

    Section 9.3.1.3 (Identity Certificate) indicates it is possible to use certificate chains.

    However the language of this section is confusing because an X.509 v3 Certificate does not contain a chain. It is a single certificate. What can contain a chain of certificates is a file. E.g. the standard "PEM" file format referenced in Table 44 can contain a certificate chain.

    To clarify this the following modifications are suggested:
    (1) In table 44, row for "identity_certificate" change from:
    "URI to a X509 certificate signed by the IdentityCA in PEM format"...
    To
    "URI to a X509 certificate (or certificate chain) signed by the IdentityCA, either as the root CA or as an intermediate CA, in PEM format"

    (2) In section 9.3.1.3 change from:
    "An X.509 v3 Certificate [39] that chains up to the Identity CA (see 9.3.1.1)."
    To:
    "A X.509 v3 Certificate chain [39] that is signed by the Identity CA (see 9.3.1.1) either as the root or as an intermediate CA in the chain"

    (3) In section 9.3
    In bullet 3. Clarify it may not be a single X.509 rather it can be a chain.

    (4) In table 49, field "c.id" indicate this is not a single certificate but a certificate chain. As that is what was configured in the PropertyQosPolicy.

    (5) In table 50, field "c.id" indicate this is not a single certificate but a certificate chain. As that is what was configured in the PropertyQosPolicy.

    (5) In table 52, field "validate_local_identity" indicate this is not a single certificate but a certificate chain.

    (6) In Table 53 IdentityCertificate is undefined. Maybe it should be "identity_certificate" and refer to the property defined in Table 44.

  • Reported: DDS-SECURITY 1.1b1 — Mon, 9 Apr 2018 23:56 GMT
  • Updated: Mon, 9 Apr 2018 23:56 GMT