On 09/12/2013 08:30 AM, Ade Lee wrote:
Hi Andrew,
Just a couple of questions/comments.
1. Please update to indicate that this will be targeted to 10.1.
2. As you noted, many of the steps around the generation and propagation
of the transport keys will be provided as manual steps for 10.1. Its
likely though that we will want to provide restful interfaces to do
these operations, perhaps in 10.2. Please create trac tickets for this
- and we can triage accordingly.
+1. The intention is to get transport key
rotation working (with some
manual procedures) in 10.1. We may very well want to add some
enhancements to avoid some of the manual procedures as a next step in a
future release. It will be a lot easier to make this decision once we
know what the manual procedures entail. The design doc should say that
the procedures will be manual as a first cut, and that we might choose
to automate them as a future enhancement. The way it is currently
worded makes it sound like we will never have nicer automated
procedures, which isn't the case.
3. If we have an old CA which communicates with a DRM, and it does not
supply a DRM certificate with the archival request, is there any way of
determining whether the transport cert used to encrypt the key is valid?
If it isn't, and there is no way of doing so, then we could end up
reporting success, when in fact the key would be indecipherable.
Ade
On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
> Feature page for DRM transport key rotation has been added:
>
http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>
>
> Please review and provide comments.
> Thanks,
> Andrew
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel