[Freeipa-devel] LDAP schema for DNSSEC keys
Simo Sorce
simo at redhat.com
Tue Jul 29 06:56:02 UTC 2014
On Tue, 2014-07-29 at 08:46 +0200, Jan Cholasta wrote:
> Dne 28.7.2014 v 11:04 Simo Sorce napsal(a):
> > On Fri, 2014-07-25 at 19:26 +0200, Petr Spacek wrote:
> >>
> >> I have updated design page and diagrams:
> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#LDAPschema
> >
> > Excellent page, I took a full read and it all seem reasonable.
> >
> > However I would like a page like this with the detailed summary of key
> > material handling.
> >
> > This is important to get right and have documented anyway so if someone
> > could summarize in detail all the key handling I would be happy to do a
> > detailed review and think carefully about the security stance of the
> > final solution we agreed on. If we can do this early it would be better
> > to avoid costly rewrites should we have forgotten/underestimated some
> > implementation detail that requires changes.
> >
> > Simo.
> >
>
> Do you need more detail than
> <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Keydistribution>?
It's almost there but the wraping/unwrapping steps are a bit handwavy.
I would like more details on algorithms we are going to use and exactly
what parts do the wrapping and unwrapping. For example we say all these
operations happen in SoftHSM at the start, but then the steps that
describe how these keys are inserted into or extracted from SoftHSM are
vague enough they can be interpreted as these operations are being
performed outside of SoftHSM. It should be made much clearer exactly
what component on the system will perform each and any of the key
(un)wrapping operations and with which keys and algorithms.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list