Root certificates for Network Operational Credential (NOC)

[ashcherbakov]

Root CA that NOCs chain up to. It's similar to ROOT_CERT transactions (see https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md#x509-pki), but they are managed (publish/revoke) by Vendors and do not require Trustee approval.

Acceptance Criteria:

• Design the new transaction/requests
  • Most probably new transactions, something like ADD_X509_ROOT_CERT_BY_VENDOR, REVOKE_X509_ROOT_CERT_BY_VENDOR
  • Think if these certificates should be the same as other Root Certs, or separate entities. Probably separate entities, because GET_X509_ROOT_CERT should probably return only Trustee-approved certificates (so called PAAs), not this new ones.
  • The transaction can be sent by Vendor account only
• Generate the new transactions/requests
  • See https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/README-DEV.md#how-to-add-a-new-module-or-transaction
• Implement business logic (handlers)
  • Check that the new PKI cert is a VID-scoped certificate (see https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/x509/x509.go#L104) with the same VID as the Account
• Add Unit Tests. Consider improving/simplifying existing unit tests if it makes sense. Create tests for both positive and negative scenarios.
• Add Integration tests (CLI and REST). Positive and basic negative tests (to check that errors are returned) are enough.
• Update docs
  • https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/transactions.md
  • https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/how-to.md

[ashcherbakov]

PR with Design: https://github.com/zigbee-alliance/distributed-compliance-ledger/pull/529 There are open questions: https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/docs/design/noc-root-cert-design.md#questions that needs to be discussed on the DCL TT call.

[ashcherbakov]

Discussed the open questions on DCL TT call:

• Should the vendor add a revocation distribution point for NOC certificates: NO, just revocation/remove (the same as for PAA Roots) is enough
• Should the following queries return NOC Certificate?
  • GET_ALL_SUBJECT_X509_CERTS: YES
  • GET_ALL_X509_ROOT_CERTS: NO
  • GET_X509_CERT: YES
• Should an additional field be added to the certificate schema to distinguish NOC certificates from common PAAs/PAIs: YES
• Should a revoked NOC Root Certificate be stored in the revoked list, or should it be completely removed? TWO separate APIs: Remove (completely remove; needed in case of mistakes) and Revoke
• if a NOC Root Certificate is revoked, should it be returned in the existing
  • GET_ALL_REVOKED_X509_ROOT_CERTS: NO
  • GET_REVOKED_CERT: YES

Other things to include/update design:

• NOC certs are not VID-scoped (there is no VID field there)
• When adding a NOC cert, need to check that there is no certificate with the same Subject+SKID already published by another vendor
• A possibility to re-add removed NOC certificates
• Intermediate certs (ICA) signed by NOC: can be published only by the Vendor who published the corresponding NOC
• Need to update the docs/CLI calls names to distinguish between PAA/PAI and NOC/ICA certs. Need to do it in a compatible way.

Open questions:

• Revocation distribution point for NOC Roots (to list revoked intermediate certificates signed by this NOC)
• The current ADD_X509_CERT allows to add an Intermediate/leaf cert by any account as long as the cert is chained back to a PAA (Root) on the ledger. Do we need to keep this API or disable/modify it?

[akarabashov]

Implemented the addition (PR: https://github.com/zigbee-alliance/distributed-compliance-ledger/pull/543) and revocation (PR: https://github.com/zigbee-alliance/distributed-compliance-ledger/pull/550) of NOC ROOT certificates Unit and integration tests are added Docs are updated.