On Thu, Oct 01, 2009 at 04:28:35PM +0100, Darren J Moffat wrote:
> John Zolnowsky x69422/408-404-5064 wrote:
> >I'd suggest identifying certificates by subject DN rather than by
> >hashing the pem file.  I think the use of pem file hashes has a number
> >of drawbacks:
> 
> The problem with using a subject DN is that applies only to X.509 certs 
> and I'd really like to see that pkg(5) signing not be tied to X.509.

That's not the only problem with using a DN -- it's actually a fairly
minor problem because the fact that it's a mechanism-specific name can
be abstracted from IPS anyways.

Using DN to refer to certs doesn't work well with self-signed certs at
all (since they can have any name), and it's not great if you have many
TAs instead of a single global PKI root (not without some other
"guarantee" that the TAs together form a single namespace).  My guess is
that we're very likely to have customers with multiple IPS TAs and/or
publishers with self-signed certs, which would render DN a useless way
of referencing certs.

There are many ways to refer to a certificate: issuer & serial, DN,
subject alternative names, hash/fingerprint of subject public key,
hash/fingerprint of whole cert.  IPS could support all of them, but IMO,
PEM is the simplest, most-likely-to-work-well-most-of-the-time method.

That PEM doesn't handle key rollover is not a big deal, IMO.  Publishers
should just get their keys re-certified, rather than get new keys, and
on compromise should revoke their outstanding certs and re-sign their
pkgs with new keys.

Incidentally, revocation is an interesting problem.  There's not really
any real IPS issue here, except when it comes to being disconnected from
the Internet, and therefore from CRLs and OCSP Responders.  It would be
useful to have the depot provide a protocol for getting non-stale OCSP
Responses for the certificates (and chains) of the publishers of pkgs in
that repository.

Nico
-- 
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss

Reply via email to