Agent Certificate has a circular dependency on itself about openscreenprotocol HOT 9 OPEN

We also need to fix the certificate subject name not to refer to the certificate fingerprint.

from openscreenprotocol.

It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message. However, the model-name information is exchanged during the metadata phase which happens after the connection. Is there something wrong with my understanding?

My interpretation of this is that it's the model name of the agent creating the certificate itself, meaning the model name as it is also added to the agent-info message; not the model name as is received from the remote agent. Can someone confirm/deny this? If my interpretation is correct, we may want to rephrase this to avoid any confusion.

from openscreenprotocol.

Regarding the subject name, similarly replacing it with the serial number could look as follows:

1. Advertise the serial number as a sn mDNS TXT record.
2. use <sn>._openscreen._udp as the certificate Subject CommonName.
3. The dialing client can use the sn TXT record to construct the <sn>._openscreen._udp to use in the server_name extension.

This keeps the 1:1 relation between server name and certificate. It don't think it impacts the certificate validation based on the fingerprint. That being said, I may have missed some of the original considerations put into the current spec. If someone can validate that, I'm happy to do the writeup and send a PR for review.

from openscreenprotocol.

It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message. However, the model-name information is exchanged during the metadata phase which happens after the connection. Is there something wrong with my understanding?

from openscreenprotocol.

Regarding the subject name, similarly replacing it with the serial number could look as follows:

That sounds like a great approach. bakkem@, do you have the capacity to put up a proposed PR that implements that?

from openscreenprotocol.

It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message

This should be same as the the model-name of the agent that is generating the certificate. The text here could be clearer on this.

The entire Issuer Name field is mostly for debugging purposes as the certificates are self-signed.

from openscreenprotocol.

Regarding the subject name, similarly replacing it with the serial number could look as follows:

That sounds like a great approach. bakkem@, do you have the capacity to put up a proposed PR that implements that?

I will start with the spec changes. Afterwards I may look at the C implementation. My Go implementation already does this as the spec was implementable otherwise 😅

from openscreenprotocol.

I just remembered there is another precedent for this set by WebRTC's local ICE candidates:

Generate a unique mDNS hostname. The unique name MUST consist of
a version 4 UUID as defined in [RFC4122], followed by ".local".

I'm not sure if the added entropy would be warranted in our case.

from openscreenprotocol.

It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message

This should be same as the the model-name of the agent that is generating the certificate. The text here could be clearer on this.

The entire Issuer Name field is mostly for debugging purposes as the certificates are self-signed.

Thanks, this makes sense to me.

from openscreenprotocol.