Why signer validity of ESP crypto auth utility is so short ?

[joel69100]

Hello,

I'm trying to understand the full process to perform provisioning of an ATECC608B. I particularly checked at https://github.com/espressif/esp-crypto ... /README.md and this looks really simple.

I wonder bout one thing there: why the signer certificate validity should be 365 days only? Is it a good practice only or is there a technical reason ? What append / what is the risk if the signer certificate has a longer validity, let say 10 years for example ?

Thanks
Joel

[joel69100]

Hello again,

Just to develop a bit this question: the topic behind this is that my devices will expose their public key to a server to perform authentication. Server should be able to validate the authenticity of the device. I would like to achieve verification of the public key using the signer (I don't know how I can technically do that for the moment !)

If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ? And additionally, if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.

Not sure if what I'm saying here is correct to be honest !

Joel

[MicroController]

If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ?

The signer certificate must be valid at the time the signature is created; validation of the signature should be possible forever irrespective of the expiration date of the signer's certificate.

if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.

Yes, that will be the case.

The reason for limiting certificates' validity is usually for security reasons, kind-of enforcing key renewal policies.
Depending on your expected threat level, it is probably perfectly fine to use a long-term certificate for key signing in your case.

[joel69100]

Thanks, this confirms my understanding that the signer is temporary used I start to have a better understanding of the global process.

On the other hand I have used the esp crypto auth utility successfully, very simple to use.

One details maybe you know : I have not found the sources of the utility running on the esp32. Only binaries are provided. Anyone knows where to find this ?

Joel

[joel69100]

Answering my question at the same time I'm writing, the source code of the esp32 firmware utility is on the same repo, on a separated branch

[ESP_flying_raijin]

Hi Joel,
I see a couple of questions answered already, I will add my thoughts on them as well.

I wonder bout one thing there: why the signer certificate validity should be 365 days only? Is it a good practice only or is there a technical reason ? What append / what is the risk if the signer certificate has a longer validity, let say 10 years for example ?

That is a sample signer certificate just for showcasing the usability. Typically the signer certificate should be valid for the lifetime of the product. It means that the device should not have to change its device certificate till its lifetime. This also follows that the device cert private key and Signer cert private key is not leaked in the meantime. In that case it is okay to have signer validity for 10 years. (Or even more than that)

If you change the signer certificate after 1 year to reduce vulnerability then you also need to update the device certificate for each device which might be already on field. It's a tricky job to do that. So generally this is not done. If your product needs has a very stringent security requirements then maybe this option should be considered.

If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ? And additionally, if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.

Extending the signer validity as explained above should fix this. Alternatively, Registering multiple signer certificates is supported on most of the cloud servers so it should not be a problem.

Just to develop a bit this question: the topic behind this is that my devices will expose their public key to a server to perform authentication. Server should be able to validate the authenticity of the device. I would like to achieve verification of the public key using the signer (I don't know how I can technically do that for the moment !)

So in this case what happens is that you form a chain of trust with the signer being at the top of the hierarchy.
First you register the signer certificate with cloud services such as AWS. Then you shall use that signer to sing the device certificate.

When the device shall connect with the server it shall send its device certificate and signer certificate with the server. The server shall verify that the device certificate is indeed signed using the signer certificate and ask device cert to prove ownership of the device private key. Once that is done the server will trust the device and perform further communication.

I hope I have added enough details.
Please let me know if you would like me to elaborate on any point.
Thanks,
Aditya