Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore root cert expiration in Server. (v1.1 cherry-pick of PR 26372) #26406

Merged
merged 1 commit into from
May 8, 2023
Merged

Ignore root cert expiration in Server. (v1.1 cherry-pick of PR 26372) #26406

merged 1 commit into from
May 8, 2023

Conversation

bzbarsky-apple
Copy link
Contributor

@bzbarsky-apple bzbarsky-apple commented May 6, 2023
edited
Loading

This is a cherry-pick of #26372 to the v1.1 branch.

Since there is no real way to rotate the root cert for a fabric, even just to update its validity period, enforcing the validity period for it just means making the fabric not work and runs the risk of making devices completely unreachable.

Switch to not validating expiration time for a root certificate, while keeping existing behavior for the NotBefore and all other certificate types.

@bzbarsky-apple
Ignore root cert expiration in Server. (project-chip#26372)
63a05d2 
Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.
@github-actions github-actions bot added the app label May 6, 2023
@andy31415 andy31415 merged commit 4ff8bc7 into project-chip:v1.1-branch May 8, 2023
@bzbarsky-apple bzbarsky-apple deleted the cherrypick-ed8d546b1fa0600963311db590be62486c610cd2 branch May 8, 2023 16:18
@gnought
Copy link

gnought commented Jun 1, 2023

It is understood that a disconnection risk, what's the balance between the security justification and connectivity, such as botnet?
@bzbarsky-apple, @andy31415, @jtung-apple

@bzbarsky-apple
Copy link
Contributor Author

@gnought What exact issue are you trying to solve?

That said: this is a cert that cannot be rotated, so expiring it can only cause connectivity loss and there is no way to avoid that, because the cert cannot be rotated.

@gnought
Copy link

gnought commented Jun 1, 2023
edited
Loading

How could we make sure the server is valid and connection is still secure? @bzbarsky-apple

@bzbarsky-apple
Copy link
Contributor Author

@gnought I'm not sure what you are asking. The root cert is stored by the server. The server itself is validating (or not, after this change) the root cert that it itself is storing.

Can you explain what you think is or should be validate and how it makes the connection "secure" or not?

Damian-Nordic pushed a commit to Damian-Nordic/connectedhomeip that referenced this pull request Jun 1, 2023
@bzbarsky-apple @ArekBalysNordic
[nrf fromtree] Ignore root cert expiration in Server. (project-chip#2…
da87603 
…6372) (project-chip#26406)

Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.

cherry-picked from: 4ff8bc7
@ryan-ma
Copy link
Contributor

ryan-ma commented Jun 2, 2023
edited
Loading

@bzbarsky-apple May I ask few questions?

Is there any plan to have a proper rotation mechanism for the fabric operation root cert in the future? In case we won't, should we have the operation cert with no well-defined expiration date? I see in the specification, the validity in the cert example is Not After : Oct 15 14:23:42 2040 GMT

Another question. Is this update safe to use in v1.0 branch? So that we can patch the v1.0 matter SDK for our coming manufacturing?

@bzbarsky-apple
Copy link
Contributor Author

Is there any plan to have a proper rotation mechanism for the fabric operation root cert in the future?

See https://github.com/CHIP-Specifications/connectedhomeip-spec/issues/5210 for adding a way to update the cert to one that matches in all ways except the validity period. But that hasn't happened yet, and at the moment there is no work being done on it. So there is a plan, but no timeline.

should we have the operation cert with no well-defined expiration date?

That is probably what you should do, yes.

Is this update safe to use in v1.0 branch?

It should be, yes.

maciejbaczmanski pushed a commit to maciejbaczmanski/connectedhomeip that referenced this pull request Jul 15, 2024
@bzbarsky-apple @Damian-Nordic
[nrf fromtree] Ignore root cert expiration in Server. (project-chip#2…
ba9cc4f 
…6372) (project-chip#26406)

Since there is no real way to rotate the root cert for a fabric, even just to
update its validity period, enforcing the validity period for it just means
making the fabric not work and runs the risk of making devices completely
unreachable.

Switch to not validating expiration time for a root certificate, while keeping
existing behavior for the NotBefore and all other certificate types.

cherry-picked from: 4ff8bc7
maciejbaczmanski pushed a commit to maciejbaczmanski/connectedhomeip that referenced this pull request Jul 15, 2024
@kkasperczyk-no
Revert "[nrf fromtree] Ignore root cert expiration in Server. (projec…
85dce48 
…t-chip#26372) (project-chip#26406)"

This reverts commit ba9cc4f.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
app
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bzbarsky-apple @gnought @ryan-ma @andy31415