[jira] [Commented] (ACCUMULO-1009) Support encryption over the wire

Fri, 20 Sep 2013 11:48:41 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13773292#comment-13773292
 ] 

Michael Berman commented on ACCUMULO-1009:
------------------------------------------

I'm assuming by "the recent major points" you're specifically talking about 
your own recent major points.  Just clarifying because it sounds like you're 
asserting points that I don't believe are universally agreed upon.  Some 
specific responses to new points that I haven't seen before upthread...

bq. The proposed implementation, putting CA private certs in HDFS, is a very 
bad idea (it undermines the "authority" part of the term CA)

Really?  All it's saying is that anyone with the password to decrypt the key 
_is_ the authority.  I don't believe there's anything fundamental about the 
concept of "authority" that requires they only work from one physical machine.  
As it is, if you have the instance secret, you can do whatever you want with 
the accumulo cluster.  The root of trust has to start somewhere, and for the 
rest of accumulo, at the moment, that root of trust is the filesystem security 
on the site config.  I don't see why it would be a problem for the same to be 
true for the SSL trust.

bq. init-ssl would be useful, but if added, it can easily wrap keytool or 
openssl, rather than custom provisioning code

Why is wrapping keytool or openssl better than wrapping bouncycastle?  The 
interfaces are pretty much the same, except that BC can be pulled in as a maven 
dependency and doesn't require a brittle connection to tools separately 
installed on the system in varied versions and locations.
                
> Support encryption over the wire
> --------------------------------
>
>                 Key: ACCUMULO-1009
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>
>         Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers.  Also need 
> to encrypt communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to