Thanks for the link, I will work through the page and see if any questions pop up. also thanks to yedidyah for the clarification!
Am 29.01.2014 14:23, schrieb Alon Bar-Lev: > > > ----- Original Message ----- >> From: "Yedidyah Bar David" <d...@redhat.com> >> To: "Sven Kieske" <s.kie...@mittwald.de> >> Cc: "Users@ovirt.org List" <Users@ovirt.org>, "Alon Bar-Lev" >> <alo...@redhat.com> >> Sent: Wednesday, January 29, 2014 3:12:21 PM >> Subject: Re: [Users] replace engine hostname /pki >> >> (Following a discussion with Alon) > > Hi, > > I hope you find this[1] helpful, if not we should work to make it better. > > Thanks, > > [1] http://www.ovirt.org/Features/PKI > >> >> ----- Original Message ----- >>> From: "Sven Kieske" <s.kie...@mittwald.de> >>> To: "Yedidyah Bar David" <d...@redhat.com> >>> Cc: "Users@ovirt.org List" <Users@ovirt.org> >>> Sent: Wednesday, January 29, 2014 1:24:40 PM >>> Subject: Re: [Users] replace engine hostname /pki >>> >>> Additional question regarding the certificates/pki: >>> >>> the wikipage states: >>> >>> "The bigger concern is with the engine's certificate. Currently, to the >>> best of our knowledge, there is no component that actually checks this >>> trust." >> >> Well, this is not accurate. The trust path _is_ checked, but against the >> saved ca cert. On host deploy the host saves the ca cert and so can verify >> the trust path even if the ca's hostname does not exist any more and can't >> be connected to to get /ca.crt . >> >> The point was that if there is something (e.g. spice client, web browser) >> that checks the trust path, this will fail, if this client did not have the >> ca cert, or tries to download it again after the rename. >> >>> (All three certificates (CA, httpd, engine) are for the Common Name (CN) >>> whose value is the hostname entered during engine-setup, which is >>> supposed to be the hostname of the engine's machine, exist in the dns >>> (forward and reverse records), and point to an IP address of the >>> engine's machine. ) >>> >>> Is there a list of values that get checked? e.g. the validity dates >>> before and after? >> >> Yes, these are checked. >> >>> >>> users might run into trouble in 10 years if this gets checked, because >>> that is the current expiration date. >> >> Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), >> 2. all certificates will need to be reissued. You can verify this today >> by moving the clock. >> >>> >>> if _nothing_ gets checked I wonder why the PKI is used at all ;) >>> >>> (I assume at least the keys get checked) >> >> Yes. >> >> Alon also added: Revocations are not checked. This means that if someone >> breaks into your engine, there is no simple way to tell the hosts to not >> trust the old engine key anymore. >> -- >> Didi >> > > > -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users