Discussions/Outreach/Technote: Certificate RevocationForum ↗

Technote: Certificate Revocation

Outreach6 posts1,103 views10 likesLast activity Apr 2021
NY
nycnewmanOP
Mar 2021

In this TechNote, we take a look at Certificate Revocation options and discuss the protocols and tradeoffs when using. This focuses on securing the underlying infrastructure communication between Daml Application components.

  • CRLs, OCSP, OCSP Stapling, Must-Staples, CRLSets
  • Simple Java example to allow you to see the protocol in action in Wireshark
  • How to enable OCSP revocation checking in the Daml Ledger API Server
github.com

digital-asset/ex-secure-daml-infra/blob/ceb1225f937d5dc3a8cbc88e836208477c6530bc/Documentation/technote-ocsp-cert-revocation.md

[![DAML logo](https://daml.com/wp-content/uploads/2020/03/logo.png)](https://www.daml.com)

[![Download](https://img.shields.io/github/release/digital-asset/daml.svg?label=Download)](https://docs.daml.com/getting-started/installation.html)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/digital-asset/daml/blob/master/LICENSE)

# TechNote: Certificate Revocation

Digital certificates in the form of server-side TLS certificates and client-side mutual authentication certificates are used
to authenticate and protect data in transit. Mutual authentication allows both sides to validate who they are
connecting to and make decisions around whether this is acceptable.

However digital certificates can be lost, stolen, expired, revoked, and each side may want to perform further validation. Over the
years, many mechanisms have been developed to allow applications to validate the certificate and these have different tradeoffs.

This TechNote documents the certificate revocation mechanisms, some options to enable debugging of the flows
and some instructions on how to the use to provided test scripts and programs to test out revocation
options.

## Types of Certificate Revocation Checks
This file has been truncated. show original
QU
quidagis
Mar 2021

Thank you for this post, this is very helpful, as I had been thinking about DC & DAs on Daml. I confess that currently, my DC-foo, is poor.

For the JDK, you can use the jSSLKeyLog agent to capture the TLS session key to a file and then configure Wireshark to read…

Does this mean that the TLS session key is actually sent in cleartext? But hidden in the packet flow?

NY
nycnewman
Mar 2021

The TLS key is never sent in clear text. TLS protocol and X509 certificates allow both sides to negotiate the session key without ever exchanging in cleartext.

jSslKeyLog uses a Java add-in agent that captures the session keys in memory during negotiation and writes to a local file. This is for debugging only (for the obvious reason that it exposes the tunnel secrets) but does allow you to see the cleartext packet capture for TLS. Otherwise many parts of the protocol (for example OCSP Stapling onto the Certificate) are hidden from view.

QU
quidagis
Mar 2021

Thank you for the reply :+1:t2:

RP
rps
Apr 2021

Great Article Mister Newman. Thanks for taking the time and energy to write this all up!

← Back to Discussions