Onboarding: define public key format + introduce aliases #523
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ocampana-videotec
approved these changes
Feb 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
So while prototyping the Onboarding spec, we found 2 things that could be improved upon. The first is that the public key in the deviceCompleted request had an undefined format. Using the PKCS10 CSR made sense, so we added that to the specification.
The other is the handling of the trust anchors. While trying to setup the camera for webrtc, we realized that knowing the alias of the certificate path validation policy would really be helpful to easily reuse it instead of trying to find a policy that matches all trust anchors one by one. For this, we extracted the trust anchors from each model and instead made a
certPathValidationPolicyobject which contains analiasand thetrustAnchors. We can then reference this policy in the authorization server config and uplink configuration using thealiasas the key. This should also make the whole payload a bit smaller, since we don't need to repeat the trust anchors in each configurations.You can easily preview the changes in https://editor-next.swagger.io/