[Users] replace engine hostname /pki
Alon Bar-Lev
alonbl at redhat.com
Wed Jan 29 13:23:10 UTC 2014
----- Original Message -----
> From: "Yedidyah Bar David" <didi at redhat.com>
> To: "Sven Kieske" <S.Kieske at mittwald.de>
> Cc: "Users at ovirt.org List" <Users at ovirt.org>, "Alon Bar-Lev" <alonbl at redhat.com>
> Sent: Wednesday, January 29, 2014 3:12:21 PM
> Subject: Re: [Users] replace engine hostname /pki
>
> (Following a discussion with Alon)
Hi,
I hope you find this[1] helpful, if not we should work to make it better.
Thanks,
[1] http://www.ovirt.org/Features/PKI
>
> ----- Original Message -----
> > From: "Sven Kieske" <S.Kieske at mittwald.de>
> > To: "Yedidyah Bar David" <didi at redhat.com>
> > Cc: "Users at ovirt.org List" <Users at ovirt.org>
> > Sent: Wednesday, January 29, 2014 1:24:40 PM
> > Subject: Re: [Users] replace engine hostname /pki
> >
> > Additional question regarding the certificates/pki:
> >
> > the wikipage states:
> >
> > "The bigger concern is with the engine's certificate. Currently, to the
> > best of our knowledge, there is no component that actually checks this
> > trust."
>
> Well, this is not accurate. The trust path _is_ checked, but against the
> saved ca cert. On host deploy the host saves the ca cert and so can verify
> the trust path even if the ca's hostname does not exist any more and can't
> be connected to to get /ca.crt .
>
> The point was that if there is something (e.g. spice client, web browser)
> that checks the trust path, this will fail, if this client did not have the
> ca cert, or tries to download it again after the rename.
>
> > (All three certificates (CA, httpd, engine) are for the Common Name (CN)
> > whose value is the hostname entered during engine-setup, which is
> > supposed to be the hostname of the engine's machine, exist in the dns
> > (forward and reverse records), and point to an IP address of the
> > engine's machine. )
> >
> > Is there a list of values that get checked? e.g. the validity dates
> > before and after?
>
> Yes, these are checked.
>
> >
> > users might run into trouble in 10 years if this gets checked, because
> > that is the current expiration date.
>
> Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-),
> 2. all certificates will need to be reissued. You can verify this today
> by moving the clock.
>
> >
> > if _nothing_ gets checked I wonder why the PKI is used at all ;)
> >
> > (I assume at least the keys get checked)
>
> Yes.
>
> Alon also added: Revocations are not checked. This means that if someone
> breaks into your engine, there is no simple way to tell the hosts to not
> trust the old engine key anymore.
> --
> Didi
>
More information about the Users
mailing list