[Users] replace engine hostname /pki

Yedidyah Bar David didi at redhat.com
Wed Jan 29 13:12:21 UTC 2014


(Following a discussion with Alon)

----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: "Yedidyah Bar David" <didi at redhat.com>
> Cc: "Users at ovirt.org List" <Users at ovirt.org>
> Sent: Wednesday, January 29, 2014 1:24:40 PM
> Subject: Re: [Users] replace engine hostname /pki
> 
> Additional question regarding the certificates/pki:
> 
> the wikipage states:
> 
> "The bigger concern is with the engine's certificate. Currently, to the
> best of our knowledge, there is no component that actually checks this
> trust."

Well, this is not accurate. The trust path _is_ checked, but against the
saved ca cert. On host deploy the host saves the ca cert and so can verify
the trust path even if the ca's hostname does not exist any more and can't
be connected to to get /ca.crt .

The point was that if there is something (e.g. spice client, web browser)
that checks the trust path, this will fail, if this client did not have the
ca cert, or tries to download it again after the rename.

> (All three certificates (CA, httpd, engine) are for the Common Name (CN)
> whose value is the hostname entered during engine-setup, which is
> supposed to be the hostname of the engine's machine, exist in the dns
> (forward and reverse records), and point to an IP address of the
> engine's machine. )
> 
> Is there a list of values that get checked? e.g. the validity dates
> before and after?

Yes, these are checked.

> 
> users might run into trouble in 10 years if this gets checked, because
> that is the current expiration date.

Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-),
2. all certificates will need to be reissued. You can verify this today
by moving the clock.

> 
> if _nothing_ gets checked I wonder why the PKI is used at all ;)
> 
> (I assume at least the keys get checked)

Yes.

Alon also added: Revocations are not checked. This means that if someone
breaks into your engine, there is no simple way to tell the hosts to not
trust the old engine key anymore.
-- 
Didi



More information about the Users mailing list