On Tue, Apr 28, 2009 at 10:12:14AM -0700, Bart Smaalders wrote:
> Another interesting question is one of certificate revocation; I'm
> inclined to have repositories provide such lists and have those
> downloaded as part of catalog updates... we can also arrange for
> refreshing of manifests, etc, upon discovery of installed packages
> signed w/ revoked certs if needed.
CRLs don't scale well. As long as the PKI used for code signing is
small then that scaling problem won't be an issue. Bottom-line: leave
certificate revocation to PKIX and use CRLs and/or, preferably, OCSP.
In general CRLs are used out-of-band. OCSP can be used in- and out-of-
band both. If you wanted to use OCSP in-band you'd have to specify how,
but you can use it out-of-band transparently just like CRLs, the only
difference being that OCSP scales while CRLs don't.
OCSP is used in-band like so: a node sends {cert, OCSP Response for that
cert} to its peer so that the peer can validate that cert without
further ado, kinda like a Kerberos V Ticket. (The peer may need to get
OCSP Responses for CAs in the validation path, but those are likely to
be long-lived and cached.)
Package revocation ("oops, we signed a pkg that was infected with
malware!") is another story. It'd be nice to have a CRL-like scheme by
which to mark packages as toxic; this should be compressible given
incorporations ("I have incorporation xyz, tell me about toxic pkgs in
it").
Nico
--
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
