Update Factory PKI docs according to recent changes

[vkhoroz]

PR Template and Checklist

This is an overhaul of two PKI related pages which are outdated for a long time already.

I added a lot of context to the Reference Manual, so that the user can now find all necessary information about PKI in one place.

Because of the above, quite some content was removed from the User Guide page about Factory PKI.
Instead, I improved on the original idea of that page to give more insights about how the PKI API works.
With these additions, we may now reference this updated User Guide to our users who want to integrate with the API directly.

Readiness

• Merge (pending reviews)
• Merge after date or event
• Draft

Overview

Why merge this PR? What does it solve?

Checklist

• Run spelling and grammar check, preferably with linter.
• Avoid changing any header associated with a link/reference.
• Step through instructions (or ask someone to do so).
• Review for wordiness
• Match tone and style of page/section.
• Run make linkcheck.
• View HTML in a browser to check rendering.
• Use semantic newlines.
• follow best practices for commits.
  • Descriptive title written in the imperative.
  • Include brief overview of QA steps taken.
  • Mention any related issues numbers.
  • End message with sign off/DCO line (-s, --signoff).
  • Sign commit with your gpg key (-S, --gpg-sign).
  • Squash commits if needed.
• Request PR review by a technical writer and at least one peer.

Comments

Any thing else that a maintainer/reviewer should know.
This could include potential issues, rational for approach, etc.

[vkhoroz]

@vanmaegima @caiotpereira You've been working a lot recently with our users who integrate directly with the Factory PKI.

May you help me understand if the changes I make to our Factory PKI documentation will make that integration more clear?

[vkhoroz]

I'm going to check links on these pages after the docs are generated.
Also, I might add the "References" section to the bottom of each page, just like I was adding it to other pages.
It has taken me a lot of effort to compose those pages, so I wanted to get an early review before I spend time on links routine.

As for the vale errors - @kprosise we may want to improve our rule checkers.

[kprosise]

I'm going to check links on these pages after the docs are generated. Also, I might add the "References" section to the bottom of each page, just like I was adding it to other pages. It has taken me a lot of effort to compose those pages, so I wanted to get an early review before I spend time on links routine.

As for the vale errors - @kprosise we may want to improve our rule checkers.

Note that one of the link-check issues is related to a license change that I am waiting on. Regarding the vale errors, my guess is that a earlier syntax issue, such as a wrongly formed link or code-block is causing it to parse things incorrectly. This has been the case in the pass. I will check it out locally soon and see if I can figure out where the issue is.

[doanac]

this is great. thanks so much

[doanac]

Suggested change

	You own the private key (NIST P-256 by default), and share the corresponding certificate with Foundries.io.
	You own the private key (NIST P-256 by default), and share the corresponding public certificate with Foundries.io.

[vkhoroz]

Nixed.

A key can be public or private. A certificate is just a... certificate, bearing a public key. So it is presumed to be public.

[doanac]

do we? and if so, were do we document how to do it.

[vkhoroz]

Some of our customers do store their Factory root private keys in the Cloud HSM.
I don't know if they used the --hsm-xxx options of Fioctl for that or not.
I'd like to get feedback from customer support on that.

As for documenting the HOW part, there are two options:

1. Do nothing.
   The user may generate a private key without --hsm-xxx options, and then copy it into the HSM.
   It is up to the HSM provider to document how to do that.
2. Document --hsm-xxx options in a separate section here.
   Before doing that, I'd like to first verify our integration with e.g. AWS Cloud HSM, and write a blog post about that.

Currently, I have no capacity to do 2, so I decided that 1 is better than nothing.

I do not feel confident with only intructing our users to print private key and store in multiple safes.
The thing is: almost nobody does that, and when they lose the key - they come to blame on us.

A simple sentence to say they need to store a key in a cloud HSM will motivate them to do the research and offload this pain onto a billionaire business.

[doanac]

We can't recommend something and not provide documentation for something this complicated. It will lead to a support ticket for each new customer.

[vkhoroz]

For now, I think it should be enough to refer to this page: https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-importPrivateKey.html.

I did not mean to document a complete HSM support in this iteration.
But, I want to recommend at least importing the private key into the HSM (use it as a digital safe).

@doanac WDYT?

[doanac]

maybe. You should consult with support. The problem I see with statement around this are people then asking:

• Why AWS instead of $X
• How much does it cost?
• <insert random question for something we can't predict since we haven't even tried ourselves>

[vkhoroz]

I tried to use vendor neutral sentence, but I think it might be improved like e.g. below:

We recommend storing your Factory Root of Trust in a cloud-based HSM solution of your choice.
For example, we verified that the `AWS Cloud HSM <link to landing page>`_ supports `importing EC private keys <link to manual>`_.

Obviously, I need to verify that it really works, before making that bold statement.

[doanac]

I can live with that.

[mike-sul]

Looks like AWS Cloud HSM advertisement.

[vanmaegima]

wrt customer support: Andy has a point here, we will get inquiries if we don't provide information on this topic. I'm ok with pointing to AWS Cloud HSM. We can always revisit this later if this becomes a pain point.

[vkhoroz]

Rephrased accoring to my suggestion.

[angolini]

I cannot finish the review right now. I come back tomorrow from where I left

[angolini]

I'm trying new orders for these 4 sentences and my suggestion is:

LmP devices connect to OTA services via a :ref:`Device Gateway <ref-ota-architecture>` configured with mutual TLS.

When a new Factory is created, it is configured to use the default "shared" PKI with Certificates owned by Foundries.io™.

A Factory Public Key Infrastructure (PKI) is a set of Digital Certificates used to establish trust between Factory devices and Device Gateway.

This allows a newcomer to faster engage with the FoundriesFactory®, allowing to streamline your product development.

Why "shared" is in quotes?

I would drop "a newcomer" and would simplify "This allows to faster engage with the....." as it will make it easier for everyone (right? if not, please ignore)

[vanmaegima]

I was also caught by the "shared" in quotes, it seems sketchy

[vkhoroz]

I shuffled sentences/words in a different way, and removed some junk words. Does it look better now?

[angolini]

Suggested change

	We allow you to set up your own PKI for your Factory — and **encourage** doing that before going to production.
	We allow you to set up your own Factory PKI — and **encourage** doing that before going to production.

[angolini]

I remember we talked about "recommendations" on the RM, but I don't know exactly which set of words to use. I will ask @kprosise to comment on the details.

I think this sentence is too loose. I would not say "we allow", and "encourage" is vague. I would say something on the lines:

It is recommended to set up and test a new Factory PKI before going to production.

[mike-sul]

Maybe highly recommended.

@vkhoroz @doanac I actually think we can forbid connection to DG if a factory-specific PKI is not setup in the production case.

[mike-sul]

These term, your own Factory PKI or a new Factory PKI maybe just a Factory PKI, or a Factory specific PKI.

[doanac]

@vkhoroz @doanac I actually think we can forbid connection to DG if a factory-specific PKI is not setup in the production case.

We can't. We have customers that are in production without their own PKI.

Also - I kind of prefer "your own PKI". This makes it sound generic like it is and not something we've invented for Factory PKI.

[vanmaegima]

+1 on highly recommend

[vkhoroz]

I actually preserved the original text here... did not want to insult its author as I found it good enough.
As per your recommendation I will truncate amount of imperative buzzwords here to just "recommend".

But I object to using any level-up adjectives: recommendation is a very clear term in ABNF/RFC world, it cannot be higher or lower.
We should use a different word for a higher degree of insistance like should or must; but neither of these words is appropriate here.

[angolini]

Suggested change

	- Controlling who (which devices) can connect to your Factory device gateway to fetch configuration and software updates.
	- Controlling who (which servers) can deliver configuration and software updates to your Factory devices.
	- Controlling which devices can connect to your Factory Device Gateway to fetch configuration and software updates.
	- Controlling which servers can deliver configuration and software updates to your Factory devices.

[mike-sul]

How "owning your Factory PKI" allows "Controlling who (which servers) can deliver configuration and software updates"? It is the same server/service across all factories - Device Gateway.

[vkhoroz]

It is not necessarily the Foundries.io device gateway - the user is free to set up their own server.
A device gateway here serves only as a medium.

After taking ownership of the Factory PKI a customer is the only entity who can issue the device gateway TLS certificate, and they are free to put any domain into it.
In that way they have full control who delivers updates to their devices.

Before they take ownership of the Factory PKI, it is the Foundries.io who possesses that privilege.

[angolini]

ok, so reset Factory PKI and set up your own Factory PKI are two different things. But both rotate the keys, right? This is only a matter of who is performing the rotation. Maybe a link in the "encourage" sentence (line 12) is missing.

[vkhoroz]

Resetting Factory PKI does not rotate the certificates.
It is like a factory reset - return back to using the shared PKI.

At that point all existing devices will no longer be update to fetch updates, until manual intervention.
We work on rotating the Root of Trust as a separate feature, which is (tentatively) going to be ready in Q4 this year.

[vanmaegima]

this hyperlink is not working, I guess we are missing an _ somewhere

[mike-sul]

It sounds like TLS cert is the only thing that is needed/involved in the session key setup.

[vkhoroz]

It is the only one.
A client certificate is involved at a later time during the TLS handshake to for the client authorization after the session was already set up.

[mike-sul]

It sounds like an incomplete story after This certificate must be signed by either a :ref:Local Device CA or an :ref:Online Device CA . The lmp-dev-reg` does not generate the cert, it just generates CSR... Probably adding more details and so it includes "signed by/with".

[vkhoroz]

Fixed.

Not sure how much the new version is better... at least it pretends to tell a full story.

[mike-sul]

Maybe opt out of using the Online Device CA in favor of Local Device CA?

[vkhoroz]

I disagree. That would make a sentence excessively longer providing marginally more value.

[mike-sul]

I think one or more of us should go through these commands and see if they work for him/her.

[vkhoroz]

IIRC I tested these commands before adding to the doc.
Nevertheless, it would be nice is somebody (not me) tries them and provides feedback.

[mike-sul]

I would structure this introductory paragraph in the form of numbered list. It will kind of outline ordered steps to "Setting Factory PKI through the API". Kind of "to setup factory PKI through the API do 1. <> 2. <> ...

[vkhoroz]

Maybe you are right.
Just ATM I am out of context for this PR and limited in time.
...Preferring to leave that task to the next iteration of improvements.

[mike-sul]

I'll follow the guidance on setting a factory PKI through the API to check if it works for me on Monday.

[angolini]

This is a very complex, extensive text. Sometimes I get confused so I may suggest the wrong thing.

I started taking note of all the terms to try to find out what is a certificate and what is a player, and this is the list of terms (i could note):

• Factory PKI
• Factory PKI API
• Factory RoT
• Factory Root CA
• Online Device CA
• Local Device CA
• Factory Local Device CA
• Device Gateway
• Client Certificate
• EST Server TLS Certificate
• Device Gateway PKI
• server TLS certificate

And I think the players are: Factory, Factory PKI API and Device Gateway.

[angolini]

"shared" again. I don't know how to interpret this

[vanmaegima]

maybe "default Factory PKI"

[vkhoroz]

It is both default and shared...
Shared better emphasizes on its essense, as it is exactly the same set of cetificates for all factories.

[angolini]

Here "Root of Trust" is alone. In other places, it's "Factory Root of Trust".

[vkhoroz]

Not sure if we need to fix it. I prefer to skip.

[angolini]

does that mean I cannot have zero local device CAs?

[vkhoroz]

Added one more sentence to express ability to have zero.

[angolini]

line 226 can become a note/important/warning

[vkhoroz]

I prefer to keep as is to avoid fancy markup inside a list.

[angolini]

if it's not mine, who owns the private key?

[mike-sul]

I guess Volodya meant ; the private key is owned by you.

[vkhoroz]

I meant what is there - NOT owned by you. This is the essence of the Online Device CA. And this is the primary reason for the below recommendation.

[angolini]

Suggested change

	That information is used by the API to validate that you upload a Root CA for a correct Factory.
	That information is used by the API to validate that you upload a Root CA for the correct Factory.

[vkhoroz]

Not sure, but IMHO in this case a correct is a more correct use: https://textranch.com/c/a-correct-or-the-correct/

[angolini]

replay? mimic? miror?

to try to avoid that tricky word:

Suggested change

	You can replay what the ``lmp-device-register`` and ``factory-registration-reg`` tools do using the following steps using OpenSSL.
	the following steps use OpenSSL to do the same thing as ``lmp-device-register`` and ``factory-registration-reg``.

[vkhoroz]

Accepted and amended.

[vkhoroz]

@doanac @angolini @mike-sul @kprosise thank you so much for your code feedback.

I was intentionally silent during your discussions, because I have too much context on this, so cannot be objective about this text.
Now, that I've got all your inputs, I will try to further improve these pages as per your comments.

[angolini]

It looks like we have:
2 safes:

Your Safe

• Private Factory Root of Trust

Foundries Safe

• Private TLS CRT

I'm not sure how many TLS sessions there is, but I guess it's 2: Factory <-> Device Gateway and Device Gateway <-> each Device?

Then we have 3 players: Factory, Device Gateway, Device

Factory:

• Public Factory Root of Trust
• Factory PKI
• Public TLS for Device Gateway

Device Gateway:

• TLS ?
• Device Gateway PKI
• Online/Offline Device CA?

Device:

• something to be identified in the factory (i don't remember the name)
• something to context with the Device Gateway

You can see I got lost at some point and cannot actually picture what are the keys and the players. Anyway, I tried to list all moving pieces

[mike-sul]

Just IMO, the verb contact sounds a bit weird in this context.

[vkhoroz]

Agreed and used verbs play with and call.

[mike-sul]

I think it should be [ext].

[mike-sul]

Or, it is the file ca.ext, then I would distinguish/separate these two files more clearly.

[vkhoroz]

It is a separate file - that should be evident from indentation and the above sentence referring to configuration fileS.

[mike-sul]

The doc doesn't provides details on the tls.csr. Maybe it should be stated explicitly that this file should be generated by extracting the "tls-csr" from the response received from the server on the initial request?

[vkhoroz]

Good catch!
Added a sentence about that in step 1.

[mike-sul]

Maybe just device certificate instead of device client certificate?

[vkhoroz]

I have no strong opinion... the latter just seems more specific to me, as there might be many certificates on the device.

[mike-sul]

This command prints two hostnames. Maybe it makes sense to state that *.ota-lite.f.io should be used in the last example, otherwise a user might try the ostree hostname.

[vkhoroz]

The user is only interested in the <device-gateway-ID> but I admit that this sentence does not hint how to obtain it.
I tried to improve - let me know how if it helps.

[mike-sul]

LGTM, the commands to deal with the API directly work for me, I have just minor comments and suggestions:

1. No info/example how to register a production device through the API.
2. No info/example how to register a device through the ota-lite API. The current example is for the auto-registration at DG case.

[vanmaegima]

@vkhoroz sorry for the delay on the review, I just noticed this got lost on my inbox during EW
I will try and review this week

[vanmaegima]

+1 on highly recommend

[vanmaegima]

I was also caught by the "shared" in quotes, it seems sketchy

[vanmaegima]

wrt customer support: Andy has a point here, we will get inquiries if we don't provide information on this topic. I'm ok with pointing to AWS Cloud HSM. We can always revisit this later if this becomes a pain point.

[vanmaegima]

maybe "default Factory PKI"

[kprosise]

Once comments/suggestions are resolved, I will give this an in-depth review.

[mike-scott]

@vkhoroz I think this PR is still a priority. Do you have time to review the comments and make an update?

[kprosise]

Once all technical content is verified, I can help with cleanup. There is also a lot of good suggestions already, which should be applied.

[vkhoroz]

@mike-scott @kprosise Jumping on it for today and tomorrow.

[vkhoroz]

@kprosise @doanac @dagriego @vanmaegima @mike-sul
I tried to incorporate your suggestions to the maximum of my current capacity.

Please, let me know how can it be improved further.

[doanac]

Docs for 92e0b00 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2777/docs/artifacts/html/index.html

[doanac]

Docs for 30c6e00 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2778/docs/artifacts/html/index.html

[doanac]

Docs for ec00631 are browsable at: https://ci.foundries.io/projects/fio-docs/builds/2779/docs/artifacts/html/index.html

[kprosise]

@vkhoroz reviewing your comments and changes, I am comfortable going ahead and merging this if there is no other feedback. If it sounds good to you, I will give it until Thursday before merging.

[kprosise]

lgtm

[vanmaegima]

minor comments on cross references and hyperlinks not working, otherwise lgtm

[vanmaegima]

this hyperlink is not working, I guess we are missing an _ somewhere

[vanmaegima]

should these ref: be referencing somewhere in the doc?
maybe this should be ``

[kprosise]

ref: -> :ref: they are just missing colons in front. Working on a patch for this commit right now.

[vanmaegima]

same here for the hyperlink

[vanmaegima]

ref is not working here

[kprosise]

Suggested change

	`Contact customer support <https://support.foundries.io>` if you need your Factory PKI being reset.
	`Contact customer support <https://support.foundries.io>`_ if you need your Factory PKI being reset.

[kprosise]

I am going to go ahead and merge, and I will follow up with a PR to fix issues with hyperlinks.