Re: [Users] replace engine hostname /pki

----- Original Message ----- > From: "Yedidyah Bar David" <didi(a)redhat.com&gt; > To: "Sven Kieske" <S.Kieske(a)mittwald.de&gt; > Cc: &quot;Users(a)ovirt.org List" <Users(a)ovirt.org&gt;, "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Sent: Wednesday, January 29, 2014 3:12:21 PM > Subject: Re: [Users] replace engine hostname /pki > > (Following a discussion with Alon) Hi, I hope you find this[1] helpful, if not we should work to make it better. Thanks, [1] http://www.ovirt.org/Features/PKI > > ----- Original Message ----- >> From: "Sven Kieske" <S.Kieske(a)mittwald.de&gt; >> To: "Yedidyah Bar David" <didi(a)redhat.com&gt; >> Cc: &quot;Users(a)ovirt.org List" <Users(a)ovirt.org&gt; >> Sent: Wednesday, January 29, 2014 1:24:40 PM >> Subject: Re: [Users] replace engine hostname /pki >> >> Additional question regarding the certificates/pki: >> >> the wikipage states: >> >> "The bigger concern is with the engine's certificate. Currently, to the >> best of our knowledge, there is no component that actually checks this >> trust." > > Well, this is not accurate. The trust path _is_ checked, but against the > saved ca cert. On host deploy the host saves the ca cert and so can verify > the trust path even if the ca's hostname does not exist any more and can't > be connected to to get /ca.crt . > > The point was that if there is something (e.g. spice client, web browser) > that checks the trust path, this will fail, if this client did not have the > ca cert, or tries to download it again after the rename. > >> (All three certificates (CA, httpd, engine) are for the Common Name (CN) >> whose value is the hostname entered during engine-setup, which is >> supposed to be the hostname of the engine's machine, exist in the dns >> (forward and reverse records), and point to an IP address of the >> engine's machine. ) >> >> Is there a list of values that get checked? e.g. the validity dates >> before and after? > > Yes, these are checked. > >> >> users might run into trouble in 10 years if this gets checked, because >> that is the current expiration date. > > Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), > 2. all certificates will need to be reissued. You can verify this today > by moving the clock. > >> >> if _nothing_ gets checked I wonder why the PKI is used at all ;) >> >> (I assume at least the keys get checked) > > Yes. > > Alon also added: Revocations are not checked. This means that if someone > breaks into your engine, there is no simple way to tell the hosts to not > trust the old engine key anymore. > -- > Didi >