----- Original Message -----
From: "Yedidyah Bar David" <didi(a)redhat.com>
To: "Sven Kieske" <S.Kieske(a)mittwald.de>
Cc: "Users(a)ovirt.org List" <Users(a)ovirt.org>, "Alon Bar-Lev"
<alonbl(a)redhat.com>
Sent: Wednesday, January 29, 2014 3:12:21 PM
Subject: Re: [Users] replace engine hostname /pki
(Following a discussion with Alon)
Hi,
I hope you find this[1] helpful, if not we should work to make it better.
Thanks,
[1]
http://www.ovirt.org/Features/PKI
----- Original Message -----
> From: "Sven Kieske" <S.Kieske(a)mittwald.de>
> To: "Yedidyah Bar David" <didi(a)redhat.com>
> Cc: "Users(a)ovirt.org List" <Users(a)ovirt.org>
> Sent: Wednesday, January 29, 2014 1:24:40 PM
> Subject: Re: [Users] replace engine hostname /pki
>
> Additional question regarding the certificates/pki:
>
> the wikipage states:
>
> "The bigger concern is with the engine's certificate. Currently, to the
> best of our knowledge, there is no component that actually checks this
> trust."
Well, this is not accurate. The trust path _is_ checked, but against the
saved ca cert. On host deploy the host saves the ca cert and so can verify
the trust path even if the ca's hostname does not exist any more and can't
be connected to to get /ca.crt .
The point was that if there is something (e.g. spice client, web browser)
that checks the trust path, this will fail, if this client did not have the
ca cert, or tries to download it again after the rename.
> (All three certificates (CA, httpd, engine) are for the Common Name (CN)
> whose value is the hostname entered during engine-setup, which is
> supposed to be the hostname of the engine's machine, exist in the dns
> (forward and reverse records), and point to an IP address of the
> engine's machine. )
>
> Is there a list of values that get checked? e.g. the validity dates
> before and after?
Yes, these are checked.
>
> users might run into trouble in 10 years if this gets checked, because
> that is the current expiration date.
Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-),
2. all certificates will need to be reissued. You can verify this today
by moving the clock.
>
> if _nothing_ gets checked I wonder why the PKI is used at all ;)
>
> (I assume at least the keys get checked)
Yes.
Alon also added: Revocations are not checked. This means that if someone
breaks into your engine, there is no simple way to tell the hosts to not
trust the old engine key anymore.
--
Didi