On 22/02/12 18:21, Perry Myers wrote: >>>> >>>> * CA pollution; generating a certificate on each reboot >>>> for each node will create a huge number of certificates >>>> in the engine side, which eventually may damage the CA. >>>> (Unsure if there's a limitation to certificates number, >>>> but having hundreds of junk cert's can't be good). >>> >>> We could have vdsm/engine store the certs on the engine side, and on >>> boot, after validating the host (however that is done), it will load the >>> certs onto the node machine. >>> >> This is a security issue, since the key pair should be >> generated on the node. This will lead us back to your TPM >> suggestion, but (although I like it, ) will cause us >> to be tpm-dependent, not to mention a non-trivial implementation. > > Not necessarily > > 1. generate cert on oVirt Node > 2. generate symmetric key and embed in TPM or use embedded symmetric > key (for secured network model) IIUC in this step you're using TPM. What if there is no TPM (at all)?
> 3. encrypt certs w/ symmetric key > 4. push encryted cert to oVirt Engine > > On reboot > > 1. download encrypted cert from OE > 2. use either embedded symmetric key or retrieve TPM based symmetric > key and use to decrypt cert > > So no dependency on TPM, but the security is definitely much better if > you have it. Use cases like this are one of the fundamental reasons why > TPM exists :) > _______________________________________________ > node-devel mailing list > node-de...@ovirt.org > http://lists.ovirt.org/mailman/listinfo/node-devel -- /d "Ford," he said, "you're turning into a penguin. Stop it." --Douglas Adams, The Hitchhiker's Guide to the Galaxy _______________________________________________ vdsm-devel mailing list vdsm-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/vdsm-devel