[Pki-devel] [PATCH] DRM Transport Key Rotation
Andrew Wnuk
awnuk at redhat.com
Sat Sep 28 00:15:50 UTC 2013
On 09/27/2013 09:55 AM, Christina Fu wrote:
> First of all, I think it's a nice framework that lays the basis for
> supporting multiple DRM transport keys. Thanks for taking care of the
> encrypt/decrypt case as well, which is essential in DRM for supporting
> HSM's that do not support wrapping/unwrapping.
>
> A couple observations/questions:
>
> * in base/kra/src/com/netscape/kra/EnrollmentService.java,
> transportCert is specifically deleted from the requests after extraction.
> We might want to consider making it optional. I understand that some
> customer in the past has utilized DRM requests for their own
> purposes. If space is a concern, one idea is to store the nickname
> instead. Just something to think about.
>
> * Another thing, perhaps as a phase 2, is to think about how to get
> the exact transport cert that the client is using into the request to
> the DRM. The primary scenario that we wish to cover, I think, is the
> case when the transport keys are in transition. The scenario in my
> mind would be someone getting to the enrollment page (thus a transport
> key is already in the browser), then taking his/her time to fill out
> the form, meanwhile, the CA's transport cert changed. However, in
> this patch, CA is getting the transport cert from it's CS.cfg and
> stuffing it into the request, which means that in this scenario, CA is
> stuffing the new transport cert into the request instead of the old
> one that the client is using.
> Again, I understand that it is not an easy one to resolve, but it is
> essential to this feature so we need to solve eventually, perhaps at
> the next phase. We can discuss more about this.
Ticket #750 has been created - https://fedorahosted.org/pki/ticket/750
>
> Christina
>
> On 09/25/2013 04:59 PM, Andrew Wnuk wrote:
>> This patch provides basic support for DRM transport key rotation
>> described
>> in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>
>> This patch provides implementation for tickets:
>> - 729 - CA to include transport certificate when submitting
>> archival request to DRM
>> - 730 - DRM to detect presence of transport certificate
>> attribute in submitted archival
>> request and validate transport certificate against DRM's
>> transport key list
>> - 731 - DRM to provide handling for alternative transport key
>> based on detected
>> and validated transport certificate arriving as a part
>> of extended archival request
>>
>>
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130927/78d66e86/attachment.htm>
More information about the Pki-devel
mailing list