Re: [Pki-devel] Feature page for DRM transport key rotation
Re-sending my undelivered posts below.
On 09/12/2013 11:49 AM, Nathan Kinder wrote:
On 09/12/2013 08:30 AM, Ade Lee wrote:
> Hi Andrew,
>
> Just a couple of questions/comments.
>
> 1. Please update to indicate that this will be targeted to 10.1.
Done.
>
> 2. As you noted, many of the steps around the generation and propagation
> of the transport keys will be provided as manual steps for 10.1. Its
> likely though that we will want to provide restful interfaces to do
> these operations, perhaps in 10.2. Please create trac tickets for this
> - and we can triage accordingly.
+1. The intention is to get transport key rotation working (with some
manual procedures) in 10.1. We may very well want to add some
enhancements to avoid some of the manual procedures as a next step in
a future release. It will be a lot easier to make this decision once
we know what the manual procedures entail. The design doc should say
that the procedures will be manual as a first cut, and that we might
choose to automate them as a future enhancement. The way it is
currently worded makes it sound like we will never have nicer
automated procedures, which isn't the case.
>
> 3. If we have an old CA which communicates with a DRM, and it does not
> supply a DRM certificate with the archival request, is there any way of
> determining whether the transport cert used to encrypt the key is valid?
>
> If it isn't, and there is no way of doing so, then we could end up
> reporting success, when in fact the key would be indecipherable.
I talked
earlier with Bob about this and other scenarios.
There are safeguards in NSS so in case described above our current
archiving procedure will fail as it should.
>
> Ade
>
>
> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>> Feature page for DRM transport key rotation has been added:
>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>
>>
>> Please review and provide comments.
>> Thanks,
>> Andrew
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel