HolgerBothien
commented
7 months ago No problem to shorten the life time of the DS certificate. This will improve the situation but not solve all use cases. An important reason for the revocation an certificate is the case when the private key of the certificate owner is compromised. Then immediate action is required as an possible attacker can create signatures the can be verified with the existing certificate (which may be valid for several month). An OCSP service would solve that problem but not all end user systems will have an internet connection at all times. I would propose that an CA in the scheme (which can be the Scheme Administrator) should publish a CRL:
- periodically
- if immediate action is required The OEM is responsible to ensure that the systems can be updated with the latest CRL. Nevertheless, an OCSP should be setup in addition to support those systems that have an internet connection.
robertsandvik
Revoking a certificate invalidates a certificate before its scheduled expiration date. A Certificate Authority (CA) can publish a Certificate Revocation List (CRL) that clients can consume containing a list of revoked certificates. The challenge with this method is that it is inefficient to maintain and distribute in “real-time”, especially if users are at sea (ECDIS).
The Online Certificate Status Protocol (OCSP) was developed to overcome some of these issues. The OCSP allow clients to query the CA about the status of a single certificate in real-time. It implies that a client application can connect 24/7 online to an IHO Scheme Administrator (SA) OCSP service and expect an immediate answer about a certificate status from IHO. (IHO does not operate such a service today).
Such a certificate revocation will only be functional if user applications are MANDATED every time to connect and check for revoked certificates!
Is there really a need, and at what cost, to establish and operate such an OCSP service for IHO SA, or can the use of short-lived Data Server certificates achieve the same result?
There is normally a controlled process between a Data Server and the IHO SA before a certificate is revoked. An issue can be initiated by IHO SA with a request to the Data Server to provide more information about an issue and how it is managed. If there are any misconduct and no efforts by the Data Server to rectify its operation, the IHO SA can issue a warning that the Data Server will be expelled from the IHO Protection Scheme and their certificate be put on a “Revocation List”. Such a process can take weeks-months.
If a Data Server certificate duration is set to 12 months, it implies that the certificate will automatically expire within 12 months unless it is renewed. I assume that an ECDIS already must check the validity of digital certificates included in the CATALOG.XML file before any authentication; e.g. issued by IHO SA, not expired etc. The workload on IHO SA is that they. will have to issue a new Data Server certificate once every 12 months for every Data Server participating in the protection scheme (Data Server must generate a CSR in advance).
By having a Data Server certificate duration of 12 months, it will be a maximum of 12 months before a certificate can be automatically revoked and the Data Server is in practice expelled from the IHO protection scheme. It will in practice be shorter because IHO SA knows when the DS certificate will expire and can ensure all communication is completed before expiration date or refuse to renew a Data Server certificate until issues are resolved. This will be an administrative procedure instead of operating an OCSP service 24/7.
Another advantage of having short Data Server certificate duration is that a Data Server is automatically throwing itself out of the IHO protection scheme if it does not renew its Data Server certificate every 12 months. The implication is that only Data Servers with operational services will maintain membership of the protection scheme.
The IHO Data Server Agreement should probably be reviewed to ensure revocation is properly managed.
The IHO Scheme Administrator certificate has for S-63 (20 years-2033) and S-100e4 (30 years-2051) had a much longer duration. IHO has established procedures and documented during the last 20+ years of operating the protection scheme that it can maintain the privacy of the SA private key information. Commercial CA root certificates installed with your operating system commonly have a duration of 25-40 years. It is suggested that the duration of the IHO SA root certificate for S-100e5duration is set to 40+years.
Recommendation: • Data Server certificate duration: 12 months • SA certificate duration: 50 years • Data Server certificate revocation is achieved by having a short certificate duration (within 12 months if recommendations are adopted)