Skip to content

Relevance of non-repudiation flag in cert generation config #1521

Description

Wing's understanding is that the InterUSS make certs script: deploy/infrastructure/dependencies/terraform-commons-dss/templates/make-certs.sh.tmp

uses configuration flags outlined in: deploy/operations/certificates-management/init.py.

We are interested in the relevance / importance of including non-repudiation

keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign

Our understanding is that non-repudiation allows for cryptographic security checks to verify proof of origin and data integrity. Some documentation that we have reviewed from Cockroach DB's website mention:

Warning:
The keyUsage and extendedkeyUsage parameters are vital for CockroachDB functions. You can modify or omit other parameters as per your preferred OpenSSL configuration and you can add additional usages, but do not omit keyUsage and extendedkeyUsage parameters or remove the listed usages.

Should USPs have internal processes for generating their own certs, Wing is inquiring:

  • What is the importance of non-repudiation? Given that it is enabled in InterUSS's config, is it InterUSS's recommendation that all USPs should have this flag enabled?
  • More broadly, does InterUSS have specific technical guidance / recommendations on configs or flags that USPs should have enabled should they choose to generate their certs using methods other than the provided make-certs script?

Metadata

Metadata

Assignees

No one assigned

    Labels

    deploymentRelated to deploying a DSS instance rather than application logic or behaviorquestionRequest for information rather than identification of an issue

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions