(Following a discussion with Alon)
----- Original Message -----
From: "Sven Kieske" <S.Kieske(a)mittwald.de>
To: "Yedidyah Bar David" <didi(a)redhat.com>
Cc: "Users(a)ovirt.org List" <Users(a)ovirt.org>
Sent: Wednesday, January 29, 2014 1:24:40 PM
Subject: Re: [Users] replace engine hostname /pki
Additional question regarding the certificates/pki:
the wikipage states:
"The bigger concern is with the engine's certificate. Currently, to the
best of our knowledge, there is no component that actually checks this
trust."
Well, this is not accurate. The trust path _is_ checked, but against the
saved ca cert. On host deploy the host saves the ca cert and so can verify
the trust path even if the ca's hostname does not exist any more and can't
be connected to to get /ca.crt .
The point was that if there is something (e.g. spice client, web browser)
that checks the trust path, this will fail, if this client did not have the
ca cert, or tries to download it again after the rename.
(All three certificates (CA, httpd, engine) are for the Common Name
(CN)
whose value is the hostname entered during engine-setup, which is
supposed to be the hostname of the engine's machine, exist in the dns
(forward and reverse records), and point to an IP address of the
engine's machine. )
Is there a list of values that get checked? e.g. the validity dates
before and after?
Yes, these are checked.
users might run into trouble in 10 years if this gets checked, because
that is the current expiration date.
Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-),
2. all certificates will need to be reissued. You can verify this today
by moving the clock.
if _nothing_ gets checked I wonder why the PKI is used at all ;)
(I assume at least the keys get checked)
Yes.
Alon also added: Revocations are not checked. This means that if someone
breaks into your engine, there is no simple way to tell the hosts to not
trust the old engine key anymore.
--
Didi