Wing's understanding is that the InterUSS make certs script: deploy/infrastructure/dependencies/terraform-commons-dss/templates/make-certs.sh.tmp
uses configuration flags outlined in: deploy/operations/certificates-management/init.py.
We are interested in the relevance / importance of including non-repudiation
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
Our understanding is that non-repudiation allows for cryptographic security checks to verify proof of origin and data integrity. Some documentation that we have reviewed from Cockroach DB's website mention:
Warning:
The keyUsage and extendedkeyUsage parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration and you can add additional usages, but do not omit keyUsage and extendedkeyUsage parameters or remove the listed usages.
Should USPs have internal processes for generating their own certs, Wing is inquiring:
- What is the importance of non-repudiation? Given that it is enabled in InterUSS's config, is it InterUSS's recommendation that all USPs should have this flag enabled?
- More broadly, does InterUSS have specific technical guidance / recommendations on configs or flags that USPs should have enabled should they choose to generate their certs using methods other than the provided make-certs script?
Wing's understanding is that the InterUSS make certs script: deploy/infrastructure/dependencies/terraform-commons-dss/templates/make-certs.sh.tmp
uses configuration flags outlined in: deploy/operations/certificates-management/init.py.
We are interested in the relevance / importance of including non-repudiation
Our understanding is that non-repudiation allows for cryptographic security checks to verify proof of origin and data integrity. Some documentation that we have reviewed from Cockroach DB's website mention:
Should USPs have internal processes for generating their own certs, Wing is inquiring: