On Wed, 2011-11-16 at 08:30 +0100, david-dasz wrote: > On Tue, 15 Nov 2011 21:51:31 +0100, Brice Figureau > <brice-pup...@daysofwonder.com> wrote: > > The plan is to support server validation from the client, through OCSP > > (but not the reverse). To be really secure, the server should be > > distinct from the CA. > > To be able to protect the CA better?
In fact no. The SSL PKI model says that the CA is a third party that all other parties (ie client and server) trust. If you merge the CA and the server, then your client will ask the server if it can trust it, which really defeat the purpose. If the server has been compromised then it will surely answer that it can be trusted. Note it's the same problem is you distribute the CRL by the master. Hence, OCSP to work correctly needs a separate CA. > > Now, there are some issues (nothing I shouldn't be able to solve > anyway): > > * the sideband connection to the CA will use SSL (which for OCSP is not > > necessary), but worst will force peer verification (there doesn't seem > > to be a way to change this while in the rest terminus). This can prove > > to be a problem is the client cert or CA server cert has been revoked :) > > In that case you have lost trust between the peers anyways and recovering > from that situation needs a different - probably manual - sideband anyways. Yes, exactly. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
