On 10/03/15 10:53, Simone Tiraboschi wrote: > In order to trust an https connection to the engine you have > to trust its CA but you still don't know it cause it's a > private one and it has been just created on the engine from scratch.
Can't the setup display the necessary parameters to make sure I trust the right CA when I accept it in my browser? It could even create a consumable file, which I can copy to my workstation and import there. > Blindly downloading the engine CA cert and blindly trusting it is not > that different that simply using http to download the public key: this is correct, but who would do this? of course you need to check if it is the right CA! > in order to fetch it you don't need to send any password > or token and being a public key you don't need to crypt > it by definition so you don't need encryption. this is not about keeping the public key secret, but about keeping the channel over which it is transferred secure. so no one can tamper with the key and send you another public key to a different machine. (dns spoofing, arp spoofing etc.) if you don't check the public key and ensure you connect to the correct machine, there is no need for public keys anyway and you could just skip this step. imho this is a security bug. other people would just consider this a hardening. trusting the local network is a security mindset from the 90's. most LANs have to many hosts which you might don't even know. you could also be on some shared foreign network where third party machines from different users can tamper with the network. I have seen user reports who used some leased hardware in offsite data centers to install ovirt, where you can't fully trust all local clients. this should be more secure by default imho. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users