[Pki-devel] Feature page for DRM transport key rotation
Andrew Wnuk
awnuk at redhat.com
Thu Sep 12 15:55:39 UTC 2013
On 09/12/2013 08:30 AM, Ade Lee wrote:
> Hi Andrew,
>
> Just a couple of questions/comments.
>
> 1. Please update to indicate that this will be targeted to 10.1.
>
> 2. As you noted, many of the steps around the generation and propagation
> of the transport keys will be provided as manual steps for 10.1. Its
> likely though that we will want to provide restful interfaces to do
> these operations, perhaps in 10.2. Please create trac tickets for this
> - and we can triage accordingly.
>
> 3. If we have an old CA which communicates with a DRM, and it does not
> supply a DRM certificate with the archival request, is there any way of
> determining whether the transport cert used to encrypt the key is valid?
>
> If it isn't, and there is no way of doing so, then we could end up
> reporting success, when in fact the key would be indecipherable.
I talked earlier with Bob about this and other scenarios.
There are safeguards in NSS so in case described above our current
archiving procedure will fail as it should.
Andrew
> Ade
>
>
> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>> Feature page for DRM transport key rotation has been added:
>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>
>>
>> Please review and provide comments.
>> Thanks,
>> Andrew
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
More information about the Pki-devel
mailing list