Closed achamayou closed 2 weeks ago
One of the small issues remain, but not sure if this needs to be part of this PR. If the detected profile uses CWT and thus becomes IETF profile, the root cert is not checked against the accepted roots, because we expect a policy. But if the policy is not configured then it will just pass through as valid. This means that once the ledger boots up it can start accepting the submissions until the configuration is applied. It might make sense to say that if the profile equals IETF and CWT is used and there is no policy script then reject the submission.
One of the small issues remain, but not sure if this needs to be part of this PR. If the detected profile uses CWT and thus becomes IETF profile, the root cert is not checked against the accepted roots, because we expect a policy. But if the policy is not configured then it will just pass through as valid. This means that once the ledger boots up it can start accepting the submissions until the configuration is applied.
All CCF-based services have an explicit Service Open step, which must be proposed and voted by the Consortium, before user transactions are handled. There is no risk of submissions getting in before the ledger owner configures the policy, other than a deliberate subsequent opening of the service by the owner without policy.
It might make sense to say that if the profile equals IETF and CWT is used and there is no policy script then reject the submission.
Yes, that's a possibility. Another is to update the constitution to prevent opening altogether if no policy is set. I think there is a broader discussion to be had about keeping both policy and list of CAs, considering the former is more expressive than the latter.