FR-09: Manage Root Certificate Updates

[danisoler-charin]

Description:
The system shall provide a mechanism for updating and distributing new root certificates from root certificate providers to all ecosystem participants in a secure and timely manner.
Use Case:
A root certificate provider issues a new root certificate, and it must be propagated securely and quickly across all pools in the ecosystem.
Current Status (based on comments):

• Flagged as already possible in OPNC v1.0.
• Commented as managed by webhooks of the Root Certificate Providers (RCPs)
• Also mentioned that CTL should be primarily responsible, but it is not implemented yet.

Discussion Points:

• Should OPNC define a standard webhook specification for root certificate updates? Is it already in place or not?
• Is there a need for an interim CTL strategy within OPNC until STF or SAE releases a full framework?

[marvin-fastned]

Should OPNC define a standard webhook specification for root certificate updates? Is it already in place or not?

I don't know if it's in place already, but I would say that OPNC should provide and standardize for the webhook events of i.e. "RootCertificateAdded", "RootCertificateDeleted" etc. For now, CPOs/MSPs/OEMs and other PNC providers might listen to it, whereas when the CTL is in place maybe the PNC providers don't need to listen to it any longer, directly consuming from the CTL instead.

Is there a need for an interim CTL strategy within OPNC until STF or SAE releases a full framework?

As I understand, as interim solution Hubject/Irdeto/Gireve are already broadcasting additions to their RCPs to each other? If it is indeed the case I'd imagine it should suffice until STF releases their CTL (timeline tbc)

[danisoler-charin]

Update due to Aug 6th discussion:
Current understanding:

• OPNC already defines a webhook mechanism for events between a root certificate pool and its connected participants. This allows MOs/CPOs/eMSPs to receive notifications (including new root certificates) from their chosen pool.
• What is not yet in place is an agreed process for root certificate exchange between pool providers. Today, each pool maintains its own root certificate list, based on its own onboarding/validation criteria. There is no mutual sharing of roots between pools.

Interim approach discussion:

• Until the STF-managed CTL is operational (current EU proposal says ~2028, but several participants are pushing to shorten this), there is consensus that we need an interim approach.
• Options discussed:
  -> Bilateral or trilateral agreements between existing pools (GF, Hubject, e-clearing) to share root certificates based on agreed validation criteria (“trust framework”).
  -> Use of existing OPNC webhooks for root certificate updates, if pools agree to share the data.
  -> Ensure any solution is open so that other root certificate pools (e.g., SAE in the US) could participate in the same event/notification model.

Next steps / open points:

• The three major pool operators to discuss and agree if and how to exchange roots before CTL is live. @steffenrhinow @guillaumeFRANCOIS @thesimmermon
• Define common onboarding/validation criteria to ensure mutual trust.
• Assess if OPNC’s current webhook event definition for root updates is sufficient from a security perspective.