securing FAS certs
Mike McGrath
mmcgrath at redhat.com
Fri Aug 22 20:53:28 UTC 2008
On Fri, 22 Aug 2008, David Lutterkort wrote:
> On Thu, 2008-08-21 at 14:18 -0500, Jeffrey Ollie wrote:
> > What about using a crypto card like Jesse plans on using for Sigul?
>
> I wonder if a TPM can be (ab)used for this, too; they are pretty common
> on newer hardware, and store a key in HW that can not be extracted.
>
> Not sure though if anybody has looked at using it to sign SSL certs, and
> especially at keeping logs of what was signed in a way that makes it
> impossible to tamper with those logs, e.g. to hide the signing of some
> certs.
>
Possibly. I was looking earlier too for something like ssh-agent or gpg
agent to serve this purpose... Haven't seen anything. Which.. well
strikes me as strange. It'd be a software way to do what we're talking
about.
-Mike
More information about the Fedora-infrastructure-list
mailing list