search

AMWA-TV / bcp-003-03

AMWA BCP-003-03 Certificate Provisioning in NMOS Systems
https://specs.amwa.tv/bcp-003-03
Apache License 2.0
2 stars 2 forks source link

Testing the use of the GeneralizedTime value of 99991231235959Z for Client Certificate notAfter date #6

Closed JamesGibo closed 3 years ago

JamesGibo commented 4 years ago

In the BCP is specifies the use of the GeneralizedTime value of 99991231235959Z

The EST Client manufacturer SHOULD issue a unique TLS Client Certificate for every device. It is RECOMMENDED that the notAfter value be set to the GeneralizedTime value of 99991231235959Z

https://github.com/AMWA-TV/nmos-certificate-provisioning/blob/v1.0-dev/docs/1.0.%20Certificate%20Provisioning.md#est-client-1

This has not been tested in practice at any of the workshops and should be tested before the publication of any specifications. Some CA's may have trouble generating them, but primarily EST Server implementations should be tested to see if they accept client certificates with the never expire timestamp.

JamesGibo commented 3 years ago

I have performed some testing with the GeneralizedTime value of 99991231235959Z, to generate client certificates and use them to authenticate with the OpenXPKI EST server, with limited success.

Using the openssl command line, it is not possible to generate a CA with a notAfter date of 99991231235959, as it only has support for the -days flag and not the -enddate flag. Its is possibly to generate a client cert with notAfter date of 99991231235959 using the -enddate flag.

The GeneralizedTime value of 99991231235959Z is the ASN1 UTC Time structure, stands for 23:59:59 31st December 9999. As it is unlikely that that devices will last until the year 9999, would still be secure by that date without firmware updates and the difficulty creating a CA used to the sign the client certificate with the expiry date of 99991231235959, I suggest that the recommendation for the notAfter date be changed to a sensible number of years, such as 25 years.

References: Definition of GeneralizedTime value of 99991231235959Z for long lived certificates (https://www.rfc-editor.org/rfc/rfc5280.html#section-4.1.2.5)

   In some situations, devices are given certificates for which no good
   expiration date can be assigned.  For example, a device could be
   issued a certificate that binds its model and serial number to its
   public key; such a certificate is intended to be used for the entire
   lifetime of the device.

   To indicate that a certificate has no well-defined expiration date,
   the notAfter SHOULD be assigned the GeneralizedTime value of
   99991231235959Z.

BREWSKI use of long lived certificates (https://tools.ietf.org/id/draft-ietf-anima-bootstrapping-keyinfra-34.html#name-infinite-lifetime-of-idevid)