Skip to content

[Openid Federation and X.509 PKI] division of responsabilities, x5c ops moved to annex#1095

Open
peppelinux wants to merge 2 commits into
versione-correntefrom
x5c
Open

[Openid Federation and X.509 PKI] division of responsabilities, x5c ops moved to annex#1095
peppelinux wants to merge 2 commits into
versione-correntefrom
x5c

Conversation

@peppelinux

Copy link
Copy Markdown
Member

This PR moves x5c operations and examples to an annex

it also simplify and reduce the mixtures between openid federation 1.0 and X.509 PKI, making the latter dependant to the first only for the onboarding processes and certificates provisioning, while the entire x.509 certificate lives on their own using native PKIX tools.

It also, from an editorial perspecive, aim to reduce the text and the overall verbosity of the contents, to prepare the road for the inclusion of Trusted Lists and ETSI references.

It doesn't really introduce breaking change, since all the previous approaches are compatible with the current one proposed within this PR. The evidence is that this PR also relaxes the normative burden to the implementations.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR restructures the documentation around X.509/PKIX by moving day-to-day x5c/certificate evaluation operations into an annex, and by clarifying the separation between OpenID Federation onboarding flows and PKIX-native certificate lifecycle/validation responsibilities.

Changes:

  • Moved the “x5c evaluation / X.509 operations” content from the main document into a new annex page (IT/EN) and updated the Table of Contents accordingly.
  • Updated Trust Infrastructure chapters (IT/EN) to emphasize that PKIX validation must be performed with standard PKIX tooling and is not replaced by federation protocol responses.
  • Updated onboarding chapters (IT/EN) to reference the new annex location and to reduce coupling between federation metadata and PKIX operations.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
docs/it/x5c-evaluation.rst Removed old main-section X.509 operations page (moved to annex).
docs/en/x5c-evaluation.rst Removed old main-section X.509 operations page (moved to annex).
docs/it/annex/x5c-evaluation.rst Added annex page for PKIX operational procedures (IT).
docs/en/annex/x5c-evaluation.rst Added annex page for PKIX operational procedures (EN).
docs/it/trust-infrastructure.rst Revised federation-vs-PKIX responsibility split; updated PKIX issuance/validation text.
docs/en/trust-infrastructure.rst Revised federation-vs-PKIX responsibility split; updated PKIX issuance/validation text.
docs/it/entity-onboarding.rst Updated onboarding narrative and references to point to annex PKIX operations.
docs/en/entity-onboarding.rst Updated onboarding narrative and references to point to annex PKIX operations.
docs/it/index.rst Removed old x5c-evaluation page from main toctree.
docs/en/index.rst Removed old x5c-evaluation page from main toctree.
docs/it/appendix.rst Added annex/x5c-evaluation into the appendix toctree.
docs/en/appendix.rst Added annex/x5c-evaluation into the appendix toctree.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +1 to +7
Operazioni di Gestione dei Certificati X.509
=============================================

Questa sezione descrive il lavoro PKIX che gli operatori svolgono quando il materiale certificato è già presente nel dispiegamento. Le attività tipiche includono la costruzione delle catene, la verifica di firme ed estensioni, il controllo della revoca, la pianificazione del rinnovo prima della scadenza e la dismissione delle credenziali non più autorizzate.

Il rapporto tra enrolment OpenID Federation e PKIX, nonché le regole per richiedere i bundle certificati, sono chiariti in :ref:`trust-infrastructure:L'Infrastruttura di Trust` e in :ref:`trust-infrastructure:X.509 PKI`. Questa sezione resta sul piano PKIX. Le valutazioni DEVONO basarsi su librerie PKIX consolidate o su strumenti da riga di comando per X.509, anziché dedurre la fiducia solo dai metadati di federazione.

Comment on lines +1 to +7
X.509 Certificate Management Operations
=========================================

This section describes PKIX work that operators perform once certificate material exists in the deployment. Typical tasks include building certificate chains, validating signatures and extensions, checking revocation status, planning renewal before expiry, and retiring credentials that are no longer authorised.

The relationship between OpenID Federation enrolment and PKIX, together with the rules for requesting certificate bundles, is explained in :ref:`trust-infrastructure:The Infrastructure of Trust` and in :ref:`trust-infrastructure:X.509 PKI`. Those chapters describe how participants obtain material during onboarding. The present section stays strictly on the PKIX side. Assessments MUST rely on conventional X.509 or PKIX libraries and command-line tools rather than on inference from federation metadata alone.

- Un JSON Web Key Set (JWKS) :rfc:`7517` che rappresenta la parte pubblica delle chiavi di firma dell'Entità in questione. Ogni JWK nel set JWK DEVE avere un ID chiave (claim kid) e PUÒ avere un parametro `x5c`, come definito in :rfc:`7517`. Contiene le Chiavi dell'Entità di Federazione richieste per le operazioni di Trust Evaluation.

**x5c**: Il parametro `x5c` incluso nel parametro `jwks` dell'Entity Configuration DEVE contenere solo il Certificato X.509 auto-emesso relativo al corrispondente `jwk`.
- Un JSON Web Key Set (JWKS) :rfc:`7517` che rappresenta la parte pubblica delle chiavi di firma dell'Entità in questione. Ogni JWK nel set JWK DEVE avere un ID chiave (claim kid). Contiene le Chiavi dell'Entità di Federazione richieste per le operazioni di Trust Evaluation.
- A JSON Web Key Set (JWKS) :rfc:`7517` that represents the public part of the signing keys of the Entity at issue. Each JWK in the JWK set MUST have a key ID (claim kid) and MAY have a `x5c` parameter, as defined in :rfc:`7517`. It contains the Federation Entity Keys required for the operations of Trust Evaluation.

**x5c**: The `x5c` parameter included in Entity Configuration's `jwks` parameter MUST only contain the self-issued X.509 Certificate about the corresponding `jwk`.
- A JSON Web Key Set (JWKS) :rfc:`7517` that represents the public part of the signing keys of the Entity at issue. Each JWK in the JWK set MUST have a key ID (claim kid). It contains the Federation Entity Keys required for the operations of Trust Evaluation.
5. **Basic Constraints**: Il Certificato X.509 DEVE includere un'estensione ``Basic Constraints`` con ``CA:TRUE`` e una lunghezza massima del path di 1 se l'emittente del certificato è un Intermediario di Federazione. Se è una Foglia, la lunghezza massima del path DEVE essere impostata a 0. Questo indica che il Subordinato a cui il certificato si riferisce, può emettere Certificati X.509 solo su se stesso. L'estensione ``BasicConstraints`` DEVE essere impostata ``critical``.
6. **Key Usage**: ``Digital Signature``, ``Key Encipherment``, ``Certificate Sign``, ``CRL Sign`` DEVONO essere inclusi. L'estensione ``KeyUsage`` DEVE essere impostata ``critical``.
5. **Basic Constraints**: i certificati di **emissione dell'entità** degli Intermediari di Federazione DEVONO includere ``Basic Constraints`` con ``CA:TRUE`` e ``pathLen`` impostato dal Superiore (tipicamente ``0`` quando l'Intermediario emette solo certificati end-entity verso le Foglie). I certificati di **protocollo** end-entity rilasciati **alle** Foglie di Federazione DEVONO impostare ``CA:FALSE``. ``BasicConstraints`` DEVE essere ``critical`` ove PKIX lo richieda per questi ruoli.
6. **Key Usage**: i certificati di emissione dell'entità degli Intermediari di Federazione DEVONO includere ``Digital Signature``, ``Key Encipherment``, ``Certificate Sign`` e ``CRL Sign`` come richiesto dal ruolo PKIX di una Certificate Authority, e DEVONO impostare ``KeyUsage`` ``critical``. I certificati di protocollo end-entity rilasciati **alle** Foglie NON DEVONO includere ``Certificate Sign`` né ``CRL Sign``; DEVONO includere ``Digital Signature`` e POSSONO includere ``Key Encipherment`` secondo il profilo applicativo.
5. **Basic Constraints**: The X.509 Certificate MUST include a ``Basic Constraints`` extension with ``CA:TRUE`` and a maximum path length of 1 if the certificate issuer is a Federation Intermediate. If it is a Leaf, the maximum path length MUST be set to 0. This indicates that the Subordinate to which certificate is about, can only issue X.509 Certificates about itself. ``BasicConstraints`` extension MUST be set ``critical``.
6. **Key Usage**: ``Digital Signature``, ``Key Encipherment``, ``Certificate Sign``, ``CRL Sign`` MUST be included. ``KeyUsage`` extension MUST be set ``critical``.
5. **Basic Constraints**: Federation Intermediate **entity issuance** certificates MUST include ``Basic Constraints`` with ``CA:TRUE`` and a ``pathLen`` set by the Superior (typically ``0`` when the Intermediate only issues end-entity certificates to Leaves). End-entity **protocol** certificates issued **to** Federation Leaves MUST set ``CA:FALSE``. ``BasicConstraints`` MUST be ``critical`` where PKIX requires it for these roles.
6. **Key Usage**: Federation Intermediate entity issuance certificates MUST include ``Digital Signature``, ``Key Encipherment``, ``Certificate Sign``, and ``CRL Sign`` as required for the PKIX CA role, and MUST set ``KeyUsage`` ``critical``. End-entity protocol certificates issued **to** Leaves MUST NOT include ``Certificate Sign`` or ``CRL Sign``; they MUST include ``Digital Signature`` and MAY include ``Key Encipherment`` as required by the application profile.
4. **Ritiro delle pubblicazioni.** Interrompere la pubblicazione del materiale di fiducia del partecipante quando la governance lo richiede.
5. **Conferma operativa.** Quando il deployment espone canali di registro o di stato, gli operatori DOVREBBERO verificare che i consumatori a valle abbiano recepito l'esito della revoca.

Esempio non normativo di richiesta di revoca del Certificato X.509 seguendo il formato :rfc:`3280`:
4. **Publication withdrawal.** Stop publishing participant trust material when governance requires it.
5. **Operational confirmation.** When the deployment provides registry or status channels, operators SHOULD confirm that downstream consumers have picked up the revocation outcome.

Non-normative example of X.509 Certificate revocation request following :rfc:`3280` format:
@peppelinux peppelinux added eudiw and removed LTS labels Jun 9, 2026
@peppelinux peppelinux modified the milestones: 1.4.2, 1.5.0 Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Development

Successfully merging this pull request may close these issues.

3 participants