One of our resident pedants pulled us up on this, saying that if the cfengine people don't understand SSL properly, how can we know that its secure? (or words to that effect).
In: http://www.cfengine.org/docs/cfengine-Tutorial.html (and IIRC I've seen this comment elsewhere) It says: "SSL is not appropriate for a system administration tool, because it uses a trust model based on a third party, such as Verisign. Most adminisrators are not prepared to pay a fee to register every host on their network, with a trusted third party." Which is not exactly accurate. You can act as your own CA, theres no need to involve a third party. We use x509 certificates for VPNs, for example, using self-signed certificates. True, the SSL model of trust isn't entirely appropriate for the way that cfengine operates, but not because it involves a third party. Rather because its unnecessarily complex for the job. -- "Politics is the art of looking for trouble, finding it, misdiagnosing it, and then misapplying the wrong remedies." - Groucho Marx
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
