Technote: Certificate Revocation

nycnewman · March 27, 2021, 12:58pm

In this TechNote, we take a look at Certificate Revocation options and discuss the protocols and tradeoffs when using. This focuses on securing the underlying infrastructure communication between Daml Application components.

CRLs, OCSP, OCSP Stapling, Must-Staples, CRLSets
Simple Java example to allow you to see the protocol in action in Wireshark
How to enable OCSP revocation checking in the Daml Ledger API Server

github.com

digital-asset/ex-secure-daml-infra/blob/ceb1225f937d5dc3a8cbc88e836208477c6530bc/Documentation/technote-ocsp-cert-revocation.md

[![DAML logo](https://daml.com/wp-content/uploads/2020/03/logo.png)](https://www.daml.com)

[![Download](https://img.shields.io/github/release/digital-asset/daml.svg?label=Download)](https://docs.daml.com/getting-started/installation.html)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/digital-asset/daml/blob/master/LICENSE)

# TechNote: Certificate Revocation

Digital certificates in the form of server-side TLS certificates and client-side mutual authentication certificates are used
to authenticate and protect data in transit. Mutual authentication allows both sides to validate who they are
connecting to and make decisions around whether this is acceptable.

However digital certificates can be lost, stolen, expired, revoked, and each side may want to perform further validation. Over the
years, many mechanisms have been developed to allow applications to validate the certificate and these have different tradeoffs.

This TechNote documents the certificate revocation mechanisms, some options to enable debugging of the flows
and some instructions on how to the use to provided test scripts and programs to test out revocation
options.

## Types of Certificate Revocation Checks

This file has been truncated. show original

quidagis · March 27, 2021, 9:50pm

Thank you for this post, this is very helpful, as I had been thinking about DC & DAs on Daml. I confess that currently, my DC-foo, is poor.

For the JDK, you can use the jSSLKeyLog agent to capture the TLS session key to a file and then configure Wireshark to read…

Does this mean that the TLS session key is actually sent in cleartext? But hidden in the packet flow?

nycnewman · March 28, 2021, 5:40pm

The TLS key is never sent in clear text. TLS protocol and X509 certificates allow both sides to negotiate the session key without ever exchanging in cleartext.

jSslKeyLog uses a Java add-in agent that captures the session keys in memory during negotiation and writes to a local file. This is for debugging only (for the obvious reason that it exposes the tunnel secrets) but does allow you to see the cleartext packet capture for TLS. Otherwise many parts of the protocol (for example OCSP Stapling onto the Certificate) are hidden from view.

quidagis · March 29, 2021, 12:05am

Thank you for the reply

rps · April 6, 2021, 10:21pm

Great Article Mister Newman. Thanks for taking the time and energy to write this all up!

Topic		Replies	Views
Fabric certificate handling and how Daml fulfills the promise of Fabric Composer, in a Hyperledger Budapest meetup next Thursday Announcements	6	444	April 22, 2021
Secure DAML Infrastructure - PKI, JWT and all that News daml , ledger-api	2	359	October 22, 2020
DAML Smart Contracts in a Covid-19 diagnostics app News blog	2	438	August 27, 2020
Hello! A new comer in the DAML world! Introduce yourself	9	653	December 1, 2022
New Blog post: DAML application on Proxy Voting News blog	2	476	September 16, 2020

Technote: Certificate Revocation

Related Topics