On 02/22/2012 11:40 AM, Doron Fediuck wrote:
> On 22/02/12 18:21, Perry Myers wrote:
>>>>>
>>>>> * CA pollution; generating a certificate on each reboot
>>>>> for each node will create a huge number of certificates
>>>>> in the engine side, which eventually may damage the CA.
>>>>> (Unsure if there's a limitation to certificates number,
>>>>> but having hundreds of junk cert's can't be good).
>>>>
>>>> We could have vdsm/engine store the certs on the engine side, and on
>>>> boot, after validating the host (however that is done), it will load the
>>>> certs onto the node machine.  
>>>>
>>> This is a security issue, since the key pair should be
>>> generated on the node. This will lead us back to your TPM
>>> suggestion, but (although I like it, ) will cause us
>>> to be tpm-dependent, not to mention a non-trivial implementation.
>>
>> Not necessarily
>>
>> 1. generate cert on oVirt Node
>> 2. generate symmetric key and embed in TPM or use embedded symmetric
>>    key (for secured network model)
> IIUC in this step you're using TPM.
> What if there is no TPM (at all)?

That statement had an 'or' in it.  Either you use TPM with a self
generated key 'or' you use a key that is preembedded in the image on
either a node by node basis or per site.

>> 3. encrypt certs w/ symmetric key
>> 4. push encryted cert to oVirt Engine
>>
>> On reboot
>>
>> 1. download encrypted cert from OE
>> 2. use either embedded symmetric key or retrieve TPM based symmetric
>>    key and use to decrypt cert
>>
>> So no dependency on TPM, but the security is definitely much better if
>> you have it.  Use cases like this are one of the fundamental reasons why
>> TPM exists :)
>> _______________________________________________
>> node-devel mailing list
>> node-de...@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/node-devel
> 
> 

_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/vdsm-devel

Reply via email to