Merge pull request #332 from backkem/cert-subject

Use certificate serial number in Subject Name
w3c · Oct 8, 2024 · e3eace3 · e3eace3
2 parents 3426640 + 6aaea0c
commit e3eace3
Showing 1 changed file with 59 additions and 30 deletions.
diff --git a/network.bs b/network.bs
@@ -21,8 +21,9 @@ url: https://datatracker.ietf.org/doc/html/rfc9000#name-variable-length-integer-
 url: https://datatracker.ietf.org/doc/html/rfc9000#name-variable-length-integer-enc; type: dfn; spec: RFC9000; text: variable-length integer
 url: https://datatracker.ietf.org/doc/html/rfc9000#section-4.6; type: dfn; spec: RFC9000; text: max_streams
 url: https://tools.ietf.org/html/rfc6762#section-9; type: dfn; spec: RFC6762; text: conflict resolution
-url: https://tools.ietf.org/html/rfc6763#section-7; type: dfn; spec: RFC6763; text: service name
+url: https://tools.ietf.org/html/rfc6763#section-4.1; type: dfn; spec: RFC6763; text: service instance name
 url: https://tools.ietf.org/html/rfc6763#section-4.1.1; type: dfn; spec: RFC6763; text: instance name
+url: https://tools.ietf.org/html/rfc6763#section-7; type: dfn; spec: RFC6763; text: service name
 url: https://tools.ietf.org/html/rfc4122#section-4.4; type: dfn; spec: RFC4122; text: UUID
 url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; text: sha-256
 url: https://tools.ietf.org/html/rfc8122#section-5; type: dfn; spec: RFC8122; text: sha-512
@@ -204,6 +205,50 @@ steps:
 Note: The resulting string will be 44 bytes in length.
 
 
+Computing the Certificate Serial Number {#computing-certificate-serial-number}
+-------------------------------
+
+Let the <dfn>certificate serial number</dfn> be the result of the following
+steps:
+
+<ol>
+  <li>If the agent has never generated an agent certificate:
+  <ol>
+    <li>Let the <dfn>certificate serial number base</dfn> be a 128-bit
+        [=UUID=].</il>
+    <li>Let the <dfn>certificate serial number counter</dfn> be a 32-bit
+        unsigned integer, initially set to 0.</li>
+  </ol>
+  </li>
+  <li>Generate a 160-bit value as follows:
+  <ol>
+    <li>Increment the [=certificate serial number counter=] by one.</li>
+    <li>Assign the upper 128 bits to the [=certificate serial number base=].</li>
+    <li>Assign the lower 32 bits to the [=certificate serial number counter=].</il>
+  </ol>
+</ol>
+
+Computing the Agent Hostname  {#computing-agent-hostname}
+-------------------------------
+
+Each time the agent changes its DNS-SD [=Service Instance Name=] or
+[=certificate serial number=] it must compute an <dfn>agent hostname</dfn> as
+follows.
+
+1. Set <var>hexSerialNumber</var> to the [[!RFC4648|base64]] encoded
+    [=certificate serial number=].
+1. Set <var>encodedInstanceName</var> to the result of the following:
+    1. Replace any character in the DNS-SD Instance Name other
+        than `[A-Za-z0-9-]` with a hyphen `-`.
+1. Set <var>encodedDomain</var> to the result of the following:
+    1. Replace any character in the DNS-SD Domain Name other
+        than `[A-Za-z0-9-]` with a hyphen `-`.
+1. Set the [=agent hostname=] to the string
+    <var>hexSerialNumber</var> + `.` + <var>encodedInstanceName</var> + `.` + <var>encodedDomain</var>
+
+TODO: Add an appendix with examples of metadata, DNS-SD records and certificate
+fields for an advertising agent.
+
 Transport and metadata discovery with QUIC {#transport}
 =======================================================
 
@@ -229,10 +274,11 @@ be used to communicate with a specific OSP Agent using OSP.  An OSP Agent may
 refuse incoming connections that lack these parameters.
 
 * The [[!RFC7301|ALPN]] used must be "osp".
-* The [[!RFC6066|server_name extension]] must be set to the following `host_name`:
-    `<fp>._openscreen._udp`.
-    * `<fp>` must be substituted with the [=agent fingerprint=] as used in mDNS TXT.
-
+* The [[!RFC6066|server_name extension]] must be set to the [=agent hostname=].
+* The [=agent fingerprints|agent fingerprint=] calculated for the received
+    [=agent certificate=] must match the `fp` mDNS TXT record as advertised
+    by the advertising agent.
+
 An OSP Agent must not send TLS early data.
 
 Issue(228): Register ALPN with IANA.
@@ -257,24 +303,9 @@ The [=agent certificate=] must have the following characteristics:
         used to encode the identifiers.
 * Valid for signing.
 
-Let the <dfn>certificate serial number</dfn> be the result of the following steps:
-
-<ol>
-  <li>If the agent has never generated an agent certificate:
-  <ol>
-    <li>Let the <dfn>certificate serial number base</dfn> be a 32-bit
-        pseudorandom integer value.</il>
-    <li>Let the <dfn>certificate serial number counter</dfn> be a 32-bit
-        unsigned integer, initially set to 0.</li>
-  </ol>
-  </li>
-  <li>Generate a 64-bit value as follows:
-  <ol>
-    <li>Increment the [=certificate serial number counter=] by one.</li>
-    <li>Assign the upper 32 bits to the [=certificate serial number base=].</li>
-    <li>Assign the lower 32 bits to the [=certificate serial number counter=].</il>
-  </ol>
-</ol>
+Each agent certificate has a unique [=certificate serial number=] computed
+using the steps above.  The value `<sn>` below should be substituted with that
+serial number.
 
 The following X.509 v3 fields are to be set as follows:
 
@@ -291,7 +322,7 @@ The following X.509 v3 fields are to be set as follows:
  </tr>
  <tr>
    <td>Serial Number</td>
-   <td>The [=certificate serial number=].</td>
+   <td>`<sn>` (as a big-endian integer)</td>
  </tr>
  <tr>
    <td>Public Key `AlgorithmIdentifier`</td>
@@ -314,7 +345,8 @@ The following X.509 v3 fields are to be set as follows:
  </tr>
  <tr>
    <td>Issuer Name</td>
-   <td>CN = The `model-name` from the `agent-info` message.<br/>
+   <td>CN = The `model-name` from the `agent-info` message, as
+            also set in the `agent-info` message.<br/>
        O = See note.<br/>
        L = See note.<br/>
        ST = See note.<br/>
@@ -323,7 +355,7 @@ The following X.509 v3 fields are to be set as follows:
  </tr>
  <tr>
    <td>Subject Name</td>
-   <td>CN = `<fp>`._openscreen._udp<br/>
+   <td>CN = [=agent hostname=]<br/>
        O = See note.<br/>
    </td>
  </tr>
@@ -341,9 +373,6 @@ The following X.509 v3 fields are to be set as follows:
 
 Mandatory fields not mentioned above should be set according to [[!RFC5280]].
 
-The value `<sn>` above should be substituted with the [=certificate serial
-number=].
-
 Note: The OSP agent may use the implementer or device model name as the value
 for the `O` key for user interface and debugging purposes. It may use the agent
 implementer's or device manufacturer's location as the value for the location
@@ -584,7 +613,7 @@ considered public:
 
 1. IP addresses and ports used by the Open Screen Network Protocol.
 1. Data advertised through mDNS, including the display name prefix, the
-    certificate fingerprint, and the metadata version.
+    certificate fingerprint and serial number, and the metadata version.
 
 ### Cross Origin State Considerations ### {#cross-origin-state}