Boostrap SCION CP-PKI
This tutorial focuses on bootstrapping the cryptographic material that is required to create a Trust Root Configuration (TRC). The target audience is representatives of voting members or Root Certificate Authorities (CA) of the ISD.
Use the TRC Ceremony Builder to create a script for the TRC signing ceremony and its preparation.
Familiarize yourself with TRC and its participants. Refer to the requirements for the necessary actions during the TRC signing ceremony and to the voting member checklist or CA checklist to quickly verify that you have the requirements in place.
Background
Relying parties in the SCION Control Plane PKI anchor their trust in the TRC of an ISD. The TRC contains information about the ISD parameters, the Root Certificates of all the trusted CAs of the ISD, and the voting certificates that are used to verify TRC updates.
When founding a new ISD, the voting members and Root CAs need to take part in a TRC base signing ceremony and create the TRC.
Roles in the TRC
A TRC contains cryptographic material for two of participants roles in an ISD:
| Role | Description |
|---|---|
| Voting member | Represent the governance of the ISD. They are responsible for creating TRC updates, e.g., to change core ASes, change the set of Root CAs, or change any other ISD parameter. |
| Certificate authority | Responsible for issuing and renewing the AS certificates of the participants in the ISD. Commonly, we distinguish between primary CAs which are responsible for issuing the initial AS certificate of a new participant, and secondary CAs which are only responsible for renewing the AS certificates. |
Certificates in the TRC
The following three types of certificates appear in the TRC:
| Type | Role | Purpose |
|---|---|---|
| regular-voting | Voting member | Authenticate vote in a regular TRC update |
| sensitive-voting | Voting member | Authenticate vote in a sensitive TRC update |
| cp-root | Certificate authority | Authenticate CA certificates, which create AS certificates |
Private keys
Every certificate contains the public key of a private key owned by the participant. These certificates are used to verify the signatures that are created with the corresponding private key. The occasions where access to the private key is required depends on the key type:
| Type | Who | Access |
|---|---|---|
| regular-voting | Representative of voting member | During TRC signing ceremony (to show proof-of-possession for new keys, and cast votes) |
| sensitive-voting | Representative of voting member | During TRC signing ceremony (to show proof-of-possession for new keys, and cast votes) |
| cp-root | CA Service | When issuing a new CA certificate |
The differentiation between voting keys and CA keys is important. The voting keys are only used during the TRC signing ceremony and preparation thereof, i.e., when creating the initial base TRC or when creating subsequent TRC updates. Between these ceremonies, the access to the voting keys is not required, and most likely should be restricted as much as possible to prevent misuse. The root key on the other hand is used to issue new CA certificates, which is done on a regular basis. It most likely should be available to a service that is responsible for issuing new CA certificates periodically.
The SCION Control Plane PKI currently only supports the following EC curves for the private keys: P-256, P-384, and P-521. Use one of these curves when creating the private keys.
Requirements
The root, regular voting, and sensitive voting certificates are self-signed. There are multiple ways to create these certificates: with openssl, with step, or with the dedicated scion-pki tool.
In this tutorial, you learn to use the scion-pki tool, as it is the most convenient way to create
the certificates.
Installation
Download the tool from cloudsmith.
curl -1sLf -O 'https://dl.cloudsmith.io/public/anapaya/public/raw/versions/latest/scion-pki'
Install the step-kms-plugin and make it available
on your PATH for the scion-pki tool to discover it. You can either build it from source, or
download a pre-built binary from
cloudsmith.
curl -1sLf -O 'https://dl.cloudsmith.io/public/anapaya/public/raw/versions/latest/step-kms-plugin'
Test that step-kms-plugin is available:
scion-pki kms version
This should succeed and print the version of the step-kms-plugin.
Key storage
The private keys for the self-signed certificates included in the TRC must be well protected. Choose
a secure key storage backend that fits your security requirements. Refer to key
storage for an overview of the different backends that are supported by the
scion-pki tool.
Voting member
As a voting member, you need to show proof-of-possession of both your regular and sensitive voting keys during the TRC signing ceremony. You need the following to participate in the ceremony:
- A sensitive voting key (asymmetric signing key with EC P-256, P-384 or P-521) that is stored in a secure key storage backend.
- A regular voting key (asymmetric signing key with EC P-256, P-384 or P-521) that is stored in a secure key storage backend.
- A copy of the regular voting certificate that contains the public key of your regular voting key.
- A copy of the sensitive voting certificate that contains the public key of your sensitive voting key.
- Access to an amd64 Linux machine with the
scion-pkitool installed during the ceremony. - Ability to create a signature with your private keys during the ceremony.
To use a cloud-based KMS to store your private keys, you must have access to the cloud-based KMS during the ceremony, i.e., your machine has access to the Internet, and you have an account with the correct permissions to access the KMS.
Certificate authority
As a CA, you need to provide the root certificate for inclusion in the TRC during the TRC signing ceremony. You need the following to participate in the ceremony:
- A root key (asymmetric signing key with EC P-256, P-384 or P-521) that is stored in a secure key storage backend.
- A copy of the root certificate that contains the public key of your private key.
- Access to an amd64 Linux machine with the
scion-pkitool installed to inspect the data that is exchanged during the ceremony.
What's next?
Head to the key storage section to learn more about the different key storages and follow the instructions for your preferred key storage backend. Use the TRC Ceremony Builder to conveniently build the commands for creating the certificates, and to prepare for the full TRC signing ceremony.
Consult the checklists to verify that you have all the requirements in place before you start the TRC signing ceremony.
Additional Information
Check out the following docs for more information on TRC ceremonies and the cryptographic material that is used in the SCION Control Plane PKI.
| Link | Description |
|---|---|
| TRC Signing Ceremony | High-level description of TRC signing ceremony |
| TRC Ceremony Builder | Tool to build script for a participant in the TRC signing ceremony. |
| TRC Specification | Specification for the TRC and voting certificates. |
| Certificate Specification | Specification for the control plane PKI certificates. |