Open npmccallum opened 5 years ago
An alternative to this proposal would be to create a new version of the SEV
certificate format which includes the KEY_ID
in the header and the CERTIFYING_ID
in each of the signatures. This would allow SEV to retire the use of CA
certificates altogether, unifying them into a single format.
My clear preference, however, is using X.509 (#20). But if we aren't going to get that, then at least some other improvements would be helpful.
The current version of CA certs looks like this:
I am proposing that version 2 consider the following improvements:
The improvements are as follows:
SIGNATURE_SIZE
CERTIFYING_ID
excluded from signatureThe self-describing signature length is the most important improvement. As the format currently stands, there is no way to know the size of this field when parsing. The only way to know is to have the parent certificate in the parsing code context. This is a layering violation.
Excluding the
CERTIFYING_ID
makes the signing workflow much simpler. Generally, you will generate an unsigned certificate and later append a signature (includingCERTIFYING_ID
) later. When theCERTIFYING_ID
is included in the signature, then the serialization code needs to know the signer'sCERTIFYING_ID
. This is a layering violation.The third improvement is minor. It allows a single parsing function to be used for each of the fields. Thus, it enables code reuse.