On 22/02/12 18:21, Perry Myers wrote:
>>>> * CA pollution; generating a certificate on each reboot
>>>> for each node will create a huge number of certificates
>>>> in the engine side, which eventually may damage the CA.
>>>> (Unsure if there's a limitation to certificates number,
>>>> but having hundreds of junk cert's can't be good).
>>> We could have vdsm/engine store the certs on the engine side, and on
>>> boot, after validating the host (however that is done), it will load the
>>> certs onto the node machine.
>> This is a security issue, since the key pair should be
>> generated on the node. This will lead us back to your TPM
>> suggestion, but (although I like it, ) will cause us
>> to be tpm-dependent, not to mention a non-trivial implementation.
> Not necessarily
> 1. generate cert on oVirt Node
> 2. generate symmetric key and embed in TPM or use embedded symmetric
> key (for secured network model)
IIUC in this step you're using TPM.
What if there is no TPM (at all)?
> 3. encrypt certs w/ symmetric key
> 4. push encryted cert to oVirt Engine
> On reboot
> 1. download encrypted cert from OE
> 2. use either embedded symmetric key or retrieve TPM based symmetric
> key and use to decrypt cert
> So no dependency on TPM, but the security is definitely much better if
> you have it. Use cases like this are one of the fundamental reasons why
> TPM exists :)
> node-devel mailing list
"Ford," he said, "you're turning into a penguin. Stop it." --Douglas Adams, The
Hitchhiker's Guide to the Galaxy
vdsm-devel mailing list