On Thu, Oct 01, 2009 at 04:28:35PM +0100, Darren J Moffat wrote: > John Zolnowsky x69422/408-404-5064 wrote: > >I'd suggest identifying certificates by subject DN rather than by > >hashing the pem file. I think the use of pem file hashes has a number > >of drawbacks: > > The problem with using a subject DN is that applies only to X.509 certs > and I'd really like to see that pkg(5) signing not be tied to X.509.
That's not the only problem with using a DN -- it's actually a fairly minor problem because the fact that it's a mechanism-specific name can be abstracted from IPS anyways. Using DN to refer to certs doesn't work well with self-signed certs at all (since they can have any name), and it's not great if you have many TAs instead of a single global PKI root (not without some other "guarantee" that the TAs together form a single namespace). My guess is that we're very likely to have customers with multiple IPS TAs and/or publishers with self-signed certs, which would render DN a useless way of referencing certs. There are many ways to refer to a certificate: issuer & serial, DN, subject alternative names, hash/fingerprint of subject public key, hash/fingerprint of whole cert. IPS could support all of them, but IMO, PEM is the simplest, most-likely-to-work-well-most-of-the-time method. That PEM doesn't handle key rollover is not a big deal, IMO. Publishers should just get their keys re-certified, rather than get new keys, and on compromise should revoke their outstanding certs and re-sign their pkgs with new keys. Incidentally, revocation is an interesting problem. There's not really any real IPS issue here, except when it comes to being disconnected from the Internet, and therefore from CRLs and OCSP Responders. It would be useful to have the depot provide a protocol for getting non-stale OCSP Responses for the certificates (and chains) of the publishers of pkgs in that repository. Nico -- _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
