[Pki-devel] Feature page for DRM transport key rotation
Nathan Kinder
nkinder at redhat.com
Thu Sep 12 18:49:31 UTC 2013
On 09/12/2013 08:30 AM, Ade Lee wrote:
> Hi Andrew,
>
> Just a couple of questions/comments.
>
> 1. Please update to indicate that this will be targeted to 10.1.
>
> 2. As you noted, many of the steps around the generation and propagation
> of the transport keys will be provided as manual steps for 10.1. Its
> likely though that we will want to provide restful interfaces to do
> these operations, perhaps in 10.2. Please create trac tickets for this
> - and we can triage accordingly.
+1. The intention is to get transport key rotation working (with some
manual procedures) in 10.1. We may very well want to add some
enhancements to avoid some of the manual procedures as a next step in a
future release. It will be a lot easier to make this decision once we
know what the manual procedures entail. The design doc should say that
the procedures will be manual as a first cut, and that we might choose
to automate them as a future enhancement. The way it is currently
worded makes it sound like we will never have nicer automated
procedures, which isn't the case.
>
> 3. If we have an old CA which communicates with a DRM, and it does not
> supply a DRM certificate with the archival request, is there any way of
> determining whether the transport cert used to encrypt the key is valid?
>
> If it isn't, and there is no way of doing so, then we could end up
> reporting success, when in fact the key would be indecipherable.
>
> Ade
>
>
> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>> Feature page for DRM transport key rotation has been added:
>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>
>>
>> Please review and provide comments.
>> Thanks,
>> Andrew
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list