Re: [Pki-devel] Feature page for DRM transport key rotation

On 09/12/2013 08:30 AM, Ade Lee wrote: > Hi Andrew, > > Just a couple of questions/comments. > > 1. Please update to indicate that this will be targeted to 10.1.

> > 2. As you noted, many of the steps around the generation and propagation > of the transport keys will be provided as manual steps for 10.1. Its > likely though that we will want to provide restful interfaces to do > these operations, perhaps in 10.2. Please create trac tickets for this > - and we can triage accordingly. >

> 3. If we have an old CA which communicates with a DRM, and it does not > supply a DRM certificate with the archival request, is there any way of > determining whether the transport cert used to encrypt the key is valid? > > If it isn't, and there is no way of doing so, then we could end up > reporting success, when in fact the key would be indecipherable. I talked earlier with Bob about this and other scenarios. There are safeguards in NSS so in case described above our current archiving procedure will fail as it should. Andrew > Ade > > > On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote: >> Feature page for DRM transport key rotation has been added: >> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation >> >> >> Please review and provide comments. >> Thanks, >> Andrew >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel >