----- Original Message ----- > From: "Yedidyah Bar David" <d...@redhat.com> > To: "Sven Kieske" <s.kie...@mittwald.de> > Cc: "Users@ovirt.org List" <Users@ovirt.org>, "Alon Bar-Lev" > <alo...@redhat.com> > Sent: Wednesday, January 29, 2014 3:12:21 PM > Subject: Re: [Users] replace engine hostname /pki > > (Following a discussion with Alon)
Hi, I hope you find this[1] helpful, if not we should work to make it better. Thanks, [1] http://www.ovirt.org/Features/PKI > > ----- Original Message ----- > > From: "Sven Kieske" <s.kie...@mittwald.de> > > To: "Yedidyah Bar David" <d...@redhat.com> > > Cc: "Users@ovirt.org List" <Users@ovirt.org> > > Sent: Wednesday, January 29, 2014 1:24:40 PM > > Subject: Re: [Users] replace engine hostname /pki > > > > Additional question regarding the certificates/pki: > > > > the wikipage states: > > > > "The bigger concern is with the engine's certificate. Currently, to the > > best of our knowledge, there is no component that actually checks this > > trust." > > Well, this is not accurate. The trust path _is_ checked, but against the > saved ca cert. On host deploy the host saves the ca cert and so can verify > the trust path even if the ca's hostname does not exist any more and can't > be connected to to get /ca.crt . > > The point was that if there is something (e.g. spice client, web browser) > that checks the trust path, this will fail, if this client did not have the > ca cert, or tries to download it again after the rename. > > > (All three certificates (CA, httpd, engine) are for the Common Name (CN) > > whose value is the hostname entered during engine-setup, which is > > supposed to be the hostname of the engine's machine, exist in the dns > > (forward and reverse records), and point to an IP address of the > > engine's machine. ) > > > > Is there a list of values that get checked? e.g. the validity dates > > before and after? > > Yes, these are checked. > > > > > users might run into trouble in 10 years if this gets checked, because > > that is the current expiration date. > > Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), > 2. all certificates will need to be reissued. You can verify this today > by moving the clock. > > > > > if _nothing_ gets checked I wonder why the PKI is used at all ;) > > > > (I assume at least the keys get checked) > > Yes. > > Alon also added: Revocations are not checked. This means that if someone > breaks into your engine, there is no simple way to tell the hosts to not > trust the old engine key anymore. > -- > Didi > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
