Replying just to get Emmanuel's answer's in. I just remembered we are now requiring being subscribed and approved with all the spam attacks we had. See below.
2018-03-27 9:44 GMT+02:00 Emmanuel Lécharny <[email protected]>: > I want to add that if you want to eliminate the possibility of a MITM, > you will most certainly require a TLS connection to be established at > some point. > > But then that means the server will issue some keys based on a > certificate. At that point, I would rather decide to make the server to > know about the clients (and that would require some registration), and > validate those clients based on a certificate signed by the server. If > so, you are back to a standard PKI. > > There is no magic bullet... > > > Le 27/03/2018 à 09:24, Baptiste Mathus a écrit : > > (Adding in CC Emmanuel Lécharny <http://people.apache.org/~elecharny/>, > who > > took a look at the proposal) > > > > Trying to summarize our chat on Twitter, I see two outstanding points: > > > > * Emmanuel is rightly questioning/concerned about the potential of DDoS > for > > this JEP. > > Tyler, should we add something about this in the JEP, or do you consider > it > > more something to be addressed in an IEP on the infra side? > > (also, downstream to it AIUI, the Telemetry and other services are all > DDoS > > vectors) > > > > * "MITM for expiry": it seems possible to reuse an UUID signed with the > PK. > > "Ideally, to renew the token, you should have a 'nonce' to avoid MITM" > > > > @Emmanuel thanks again. If you have any other feedback, feel free to > enrich > > or correct what I wrote you said :). > > > > Thanks everyone! > > > > > > > > 2018-03-26 17:34 GMT+02:00 R. Tyler Croy <[email protected]>: > > > >> (replies inline) > >> > >> On Mon, 26 Mar 2018, Jesse Glick wrote: > >> > >>> Jenkins already includes the `instance-identity` module, which is the > >>> standard mechanism¹ for both uniquely identifying a Jenkins > >>> installation, and permitting asymmetrically-encrypted communications > >>> with it. Is there a reason you are not using it? If so, that should be > >>> clearly documented under ???Alternative Approaches???. There is a vague > >>> mention of OpenSSH keys, but this module is not limited to SSH (much > >>> less OpenSSH), and public-key encryption has widespread library > >>> support. > >> > >> > >> Thanks for taking a look Jesse! You're right that Jenkins already does > >> have an > >> instance identity floating around. In a much earlier iteration of my > >> thinking I was > >> considering using this until I started to think about how this would > work > >> in > >> practice for new installations. > >> > >> Unfortunately when the jenkins/evergreen image comes online and checks > for > >> updates, it will not have run `jenkins.war` at all yet, and therefore no > >> instance identity. Rather than have one unprotected/identified route in > the > >> service backend for bootstrapping new nodes, I am erring on the side of > >> treating all "got updates?" requests the same, which requires a client > >> registration and identity to kick the process off. > >> > >> You're absolutely right that the 'Alternative Approaches" section > doesn't > >> list > >> this and should, I'll update shortly. > >> > >> > >> > >> Cheers > >> - R. Tyler Croy > >> > >> ------------------------------------------------------ > >> Code: <https://github.com/rtyler> > >> Chatter: <https://twitter.com/agentdero> > >> xmpp: [email protected] > >> > >> % gpg --keyserver keys.gnupg.net --recv-key 1426C7DC3F51E16F > >> ------------------------------------------------------ > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Jenkins Developers" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> To view this discussion on the web visit https://groups.google.com/d/ms > >> gid/jenkinsci-dev/20180326153407.5on7xn7gdl7odfue%40blackber > >> ry.coupleofllamas.com. > >> For more options, visit https://groups.google.com/d/optout. > >> > > > > -- > Emmanuel Lecharny > > Symas.com > directory.apache.org > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS440j1hsi_xiFtb1%2BZw-TZxxq5MQjaT%2BPeD8r02Cyq%3Dqw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
