John-Mark Gurney wrote:
>Rick Macklem wrote this message on Thu, Mar 26, 2020 at 14:33 +:
>> John-Mark Gurney wrote:
>> [lots of stuff snipped]
>> >Rick Macklem wrote:
>> >> I had originally planned on some "secret" in the certificate (like a CN
>> >> name
>> >> that satisfies some regular exp
Rick Macklem wrote this message on Thu, Mar 26, 2020 at 14:33 +:
> John-Mark Gurney wrote:
> [lots of stuff snipped]
> >Rick Macklem wrote:
> >> I had originally planned on some "secret" in the certificate (like a CN
> >> name
> >> that satisfies some regular expression or ???) but others conv
org on
behalf of Rick Macklem
Sent: Thursday, March 26, 2020 10:33 AM
To: John-Mark Gurney
Cc: Alexander Leidinger; freebsd-current@FreeBSD.org
Subject: Re: TLS certificates for NFS-over-TLS floating client
John-Mark Gurney wrote:
[lots of stuff snipped]
>Rick Macklem wrote:
>> I had or
John-Mark Gurney wrote:
[lots of stuff snipped]
>Rick Macklem wrote:
>> I had originally planned on some "secret" in the certificate (like a CN name
>> that satisfies some regular expression or ???) but others convinced me that
>> that wouldn't provide anything beyond knowing that the certificate w
Rick Macklem wrote this message on Wed, Mar 25, 2020 at 23:50 +:
> John-Mark Gurney wrote:
> >Rick Macklem wrote this message on Mon, Mar 23, 2020 at 23:53 +:
> >> Alexander Leidinger wrote:
> >> John-Mark Gurney wrote:
> >> >>Rick Macklem wrote:
> >> >>> to be the best solution. The serve
John-Mark Gurney wrote:
>Rick Macklem wrote this message on Mon, Mar 23, 2020 at 23:53 +:
>> Alexander Leidinger wrote:
>> John-Mark Gurney wrote:
>> >>Rick Macklem wrote:
>> >>> to be the best solution. The server can verify that the certificate
>> >>> was issued by
>> >>> the local CA. Unfor
Rick Macklem wrote this message on Mon, Mar 23, 2020 at 23:53 +:
> Alexander Leidinger wrote:
> John-Mark Gurney wrote:
> >>Rick Macklem wrote:
> >>> to be the best solution. The server can verify that the certificate
> >>> was issued by
> >>> the local CA. Unfortunately, if the client is co
Alexander Leidinger wrote:
John-Mark Gurney wrote:
>>Rick Macklem wrote:
>>> to be the best solution. The server can verify that the certificate
>>> was issued by
>>> the local CA. Unfortunately, if the client is compromised and the
>>> certificate is copied
>>> to another client, that client
Quoting John-Mark Gurney (from Fri, 20 Mar 2020
12:29:23 -0700):
to be the best solution. The server can verify that the certificate
was issued by
the local CA. Unfortunately, if the client is compromised and the
certificate is copied
to another client, that client would gain access.
Th
Miroslav Lachman wrote:
>Rick Macklem wrote on 2020/03/19 03:09:
>> Miroslav Lachman wrote:
>>>
>> [...]
>
>>> NFS (or any other server) should check list of revoked certificates too.
>>> Otherwise you will not be able to deny access to user which you no
>>> longer want to have an access.
>> Yes, g
Jan Bramkamp wrote:
>On 20.03.20 02:44, Russell L. Carter wrote:
>> Here I commit heresy, by A) top posting, and B) by just saying, why
>> not make it easy, first, to tunnel NFSv4 sessions through
>> e.g. net/wireguard or sysutils/spiped? NFS is point to point.
>> Security infrastructure that actu
On 20.03.20 20:45, John-Mark Gurney wrote:
Jan Bramkamp wrote this message on Fri, Mar 20, 2020 at 18:51 +0100:
On 20.03.20 02:44, Russell L. Carter wrote:
Here I commit heresy, by A) top posting, and B) by just saying, why
not make it easy, first, to tunnel NFSv4 sessions through
e.g. net/wir
John-Mark Gurney wrote on 2020/03/20 20:29:
Rick Macklem wrote this message on Thu, Mar 19, 2020 at 23:41 +:
[...]
Without a problem statement or what you're trying to accomplish, it's
hard to say if it is.
The problem I was/am trying to solve was a way for NFS clients without a
fixed IP
Jan Bramkamp wrote this message on Fri, Mar 20, 2020 at 18:51 +0100:
> On 20.03.20 02:44, Russell L. Carter wrote:
> > Here I commit heresy, by A) top posting, and B) by just saying, why
> > not make it easy, first, to tunnel NFSv4 sessions through
> > e.g. net/wireguard or sysutils/spiped? NFS is
Rick Macklem wrote this message on Thu, Mar 19, 2020 at 23:41 +:
> John-Mark Gurney wrote:
> >Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +:
> >> I am slowly trying to understand TLS certificates and am trying to figure
> >> out how to do the following:
> >> -> For an /etc
On 20.03.20 02:44, Russell L. Carter wrote:
Here I commit heresy, by A) top posting, and B) by just saying, why
not make it easy, first, to tunnel NFSv4 sessions through
e.g. net/wireguard or sysutils/spiped? NFS is point to point.
Security infrastructure that actually works understands the sha
So ok, it's good to code to RFCs. OTOH, state actors are a thing now.
Alice & Bob's protocols need to be perfect. State actors watch for
mistakes.
Here I commit heresy, by A) top posting, and B) by just saying, why
not make it easy, first, to tunnel NFSv4 sessions through
e.g. net/wireguard o
John-Mark Gurney wrote:
>Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +:
>> I am slowly trying to understand TLS certificates and am trying to figure
>> out how to do the following:
>> -> For an /etc/exports file with...
>> /home -tls -network 192.168.1.0 -mask 255.255.255.0
>>
Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +:
> I am slowly trying to understand TLS certificates and am trying to figure
> out how to do the following:
> -> For an /etc/exports file with...
> /home -tls -network 192.168.1.0 -mask 255.255.255.0
> /home -tlscert
Are you looki
Rick Macklem wrote on 2020/03/19 03:09:
Miroslav Lachman wrote:
[...]
NFS (or any other server) should check list of revoked certificates too.
Otherwise you will not be able to deny access to user which you no
longer want to have an access.
Yes, good point.
I won't claim to understand this
Miroslav Lachman wrote:
>Hiroki Sato wrote on 2020/03/04 05:35:
>
[...]
>
>> I do not think it is a good idea to use a certificate with an
>> embedded secret for authentication and/or authorization.
>>
>> In the case that the client offers a certificate upon establishing a
>> TLS connection
Rick Macklem wrote:
>Benjamin Kaduk wrote:
>>Rick Macklem wrote:
[stuff snipped]
>>> A typical client mounting from outside of the subnet might be my laptop,
>>> which is using wifi and has no fixed IP/DNS name.
>>> --> How do you create a certificate that the laptop can use, which the NFS
>>>
Benjamin Kaduk wrote:
>On Wed, Mar 04, 2020 at 03:15:48AM +, Rick Macklem wrote:
>> Hi,
>>
>> I am slowly trying to understand TLS certificates and am trying to figure
>> out how to do the following:
>> -> For an /etc/exports file with...
>> /home -tls -network 192.168.1.0 -mask 255.255.255.0
>
Hiroki Sato wrote on 2020/03/04 05:35:
[...]
I do not think it is a good idea to use a certificate with an
embedded secret for authentication and/or authorization.
In the case that the client offers a certificate upon establishing a
TLS connection for authentication purpose, the authen
On Wed, 04 Mar 2020 13:35:15 +0900 (JST) Hiroki Sato h...@freebsd.org said
Rick Macklem wrote
in
:
rm> Hi,
rm>
rm> I am slowly trying to understand TLS certificates and am trying to
figure
rm> out how to do the following:
rm> -> For an /etc/exports file with...
rm> /home -tls -network 192.168
Rick Macklem wrote
in
:
rm> Hi,
rm>
rm> I am slowly trying to understand TLS certificates and am trying to figure
rm> out how to do the following:
rm> -> For an /etc/exports file with...
rm> /home -tls -network 192.168.1.0 -mask 255.255.255.0
rm> /home -tlscert
rm>
rm> This syntax isn't implem
On Wed, 4 Mar 2020 03:15:48 + Rick Macklem rmack...@uoguelph.ca said
Hi,
I am slowly trying to understand TLS certificates and am trying to figure
out how to do the following:
-> For an /etc/exports file with...
/home -tls -network 192.168.1.0 -mask 255.255.255.0
/home -tlscert
This syntax
On Wed, Mar 04, 2020 at 03:15:48AM +, Rick Macklem wrote:
> Hi,
>
> I am slowly trying to understand TLS certificates and am trying to figure
> out how to do the following:
> -> For an /etc/exports file with...
> /home -tls -network 192.168.1.0 -mask 255.255.255.0
> /home -tlscert
>
> This sy
Hi,
I am slowly trying to understand TLS certificates and am trying to figure
out how to do the following:
-> For an /etc/exports file with...
/home -tls -network 192.168.1.0 -mask 255.255.255.0
/home -tlscert
This syntax isn't implemented yet, but the thinking is that clients on the
192.168.1 su
29 matches
Mail list logo
