Technote: Certificate Revocation

nycnewman · March 27, 2021, 12:58pm

In this TechNote, we take a look at Certificate Revocation options and discuss the protocols and tradeoffs when using. This focuses on securing the underlying infrastructure communication between Daml Application components.

CRLs, OCSP, OCSP Stapling, Must-Staples, CRLSets
Simple Java example to allow you to see the protocol in action in Wireshark
How to enable OCSP revocation checking in the Daml Ledger API Server

github.com

digital-asset/ex-secure-daml-infra/blob/ceb1225f937d5dc3a8cbc88e836208477c6530bc/Documentation/technote-ocsp-cert-revocation.md

[![DAML logo](https://daml.com/wp-content/uploads/2020/03/logo.png)](https://www.daml.com)

[![Download](https://img.shields.io/github/release/digital-asset/daml.svg?label=Download)](https://docs.daml.com/getting-started/installation.html)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/digital-asset/daml/blob/master/LICENSE)

# TechNote: Certificate Revocation

Digital certificates in the form of server-side TLS certificates and client-side mutual authentication certificates are used
to authenticate and protect data in transit. Mutual authentication allows both sides to validate who they are
connecting to and make decisions around whether this is acceptable.

However digital certificates can be lost, stolen, expired, revoked, and each side may want to perform further validation. Over the
years, many mechanisms have been developed to allow applications to validate the certificate and these have different tradeoffs.

This TechNote documents the certificate revocation mechanisms, some options to enable debugging of the flows
and some instructions on how to the use to provided test scripts and programs to test out revocation
options.

## Types of Certificate Revocation Checks

This file has been truncated. show original

quidagis · March 27, 2021, 9:50pm

Thank you for this post, this is very helpful, as I had been thinking about DC & DAs on Daml. I confess that currently, my DC-foo, is poor.

For the JDK, you can use the jSSLKeyLog agent to capture the TLS session key to a file and then configure Wireshark to read…

Does this mean that the TLS session key is actually sent in cleartext? But hidden in the packet flow?

nycnewman · March 28, 2021, 5:40pm

The TLS key is never sent in clear text. TLS protocol and X509 certificates allow both sides to negotiate the session key without ever exchanging in cleartext.

jSslKeyLog uses a Java add-in agent that captures the session keys in memory during negotiation and writes to a local file. This is for debugging only (for the obvious reason that it exposes the tunnel secrets) but does allow you to see the cleartext packet capture for TLS. Otherwise many parts of the protocol (for example OCSP Stapling onto the Certificate) are hidden from view.

quidagis · March 29, 2021, 12:05am

Thank you for the reply

rps · April 6, 2021, 10:21pm

Great Article Mister Newman. Thanks for taking the time and energy to write this all up!

Topic		Replies	Views
TechNote: PostgreSQL hardening for Daml for PSQL Tutorials and Guides	1	1005	March 29, 2021
Fabric certificate handling and how Daml fulfills the promise of Fabric Composer, in a Hyperledger Budapest meetup next Thursday Announcements	6	465	April 22, 2021
Issue enabling TLS for DAML JSON Api Questions sandbox , json-api , ledger-api	9	1373	April 17, 2023
Secure DAML Infrastructure – Part 2 – JWT, JWKS and Auth0 News blog	0	408	December 1, 2020
PKI integration with Daml Questions daml , security	3	333	October 27, 2021

Technote: Certificate Revocation

Related topics