On 02/22/2012 11:40 AM, Doron Fediuck wrote: > On 22/02/12 18:21, Perry Myers wrote: >>>>> >>>>> * CA pollution; generating a certificate on each reboot >>>>> for each node will create a huge number of certificates >>>>> in the engine side, which eventually may damage the CA. >>>>> (Unsure if there's a limitation to certificates number, >>>>> but having hundreds of junk cert's can't be good). >>>> >>>> We could have vdsm/engine store the certs on the engine side, and on >>>> boot, after validating the host (however that is done), it will load the >>>> certs onto the node machine. >>>> >>> This is a security issue, since the key pair should be >>> generated on the node. This will lead us back to your TPM >>> suggestion, but (although I like it, ) will cause us >>> to be tpm-dependent, not to mention a non-trivial implementation. >> >> Not necessarily >> >> 1. generate cert on oVirt Node >> 2. generate symmetric key and embed in TPM or use embedded symmetric >> key (for secured network model) > IIUC in this step you're using TPM. > What if there is no TPM (at all)?
That statement had an 'or' in it. Either you use TPM with a self generated key 'or' you use a key that is preembedded in the image on either a node by node basis or per site. >> 3. encrypt certs w/ symmetric key >> 4. push encryted cert to oVirt Engine >> >> On reboot >> >> 1. download encrypted cert from OE >> 2. use either embedded symmetric key or retrieve TPM based symmetric >> key and use to decrypt cert >> >> So no dependency on TPM, but the security is definitely much better if >> you have it. Use cases like this are one of the fundamental reasons why >> TPM exists :) >> _______________________________________________ >> node-devel mailing list >> [email protected] >> http://lists.ovirt.org/mailman/listinfo/node-devel > > _______________________________________________ node-devel mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-devel
