securing FAS certs

Mike McGrath mmcgrath at
Fri Aug 22 20:53:28 UTC 2008

On Fri, 22 Aug 2008, David Lutterkort wrote:

> On Thu, 2008-08-21 at 14:18 -0500, Jeffrey Ollie wrote:
> > What about using a crypto card like Jesse plans on using for Sigul?
> I wonder if a TPM can be (ab)used for this, too; they are pretty common
> on newer hardware, and store a key in HW that can not be extracted.
> Not sure though if anybody has looked at using it to sign SSL certs, and
> especially at keeping logs of what was signed in a way that makes it
> impossible to tamper with those logs, e.g. to hide the signing of some
> certs.

Possibly.  I was looking earlier too for something like ssh-agent or gpg
agent to serve this purpose...  Haven't seen anything.  Which.. well
strikes me as strange.  It'd be a software way to do what we're talking


More information about the Fedora-infrastructure-list mailing list