[Pki-devel] [PATCH] DRM Transport Key Rotation

Andrew Wnuk awnuk at redhat.com
Mon Sep 30 23:03:56 UTC 2013 

On 09/30/2013 09:30 AM, Christina Fu wrote:
> ACK with ticket filed or to be filed.
>
> Christina
>
> On 09/27/2013 05:15 PM, Andrew Wnuk wrote:
>> On 09/27/2013 09:55 AM, Christina Fu wrote:
>>> First of all, I think it's a nice framework that lays the basis for 
>>> supporting multiple DRM transport keys.  Thanks for taking care of 
>>> the encrypt/decrypt case as well, which is essential in DRM for 
>>> supporting HSM's that do not support wrapping/unwrapping.
>>>
>>> A couple observations/questions:
>>>
>>> * in base/kra/src/com/netscape/kra/EnrollmentService.java, 
>>> transportCert is specifically deleted from the requests after 
>>> extraction.
>>> We might want to consider making it optional.  I understand that 
>>> some customer in the past has utilized DRM requests for their own 
>>> purposes.  If space is a concern, one idea is to store the nickname 
>>> instead.  Just something to think about.
Ticket #753 has been created - https://fedorahosted.org/pki/ticket/753
>>>
>>> * Another thing, perhaps as a phase 2, is to think about how to get 
>>> the exact transport cert that the client is using into the request 
>>> to the DRM.  The primary scenario that we wish to cover, I think, is 
>>> the case when the transport keys are in transition.  The scenario in 
>>> my mind would be someone getting to the enrollment page (thus a 
>>> transport key is already in the browser), then taking his/her time 
>>> to fill out the form, meanwhile, the CA's transport cert changed.  
>>> However, in this patch, CA is getting the transport cert from it's 
>>> CS.cfg and stuffing it into the request, which means that in this 
>>> scenario, CA is stuffing the new transport cert into the request 
>>> instead of the old one that the client is using.
>>> Again, I understand that it is not an easy one to resolve, but it is 
>>> essential to this feature so we need to solve eventually, perhaps at 
>>> the next phase.  We can discuss more about this.
>> Ticket #750 has been created - https://fedorahosted.org/pki/ticket/750
>>>
>>> Christina
>>>
>>> On 09/25/2013 04:59 PM, Andrew Wnuk wrote:
>>>> This patch provides basic support for DRM transport key rotation 
>>>> described
>>>>     in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>>>
>>>>     This patch provides implementation for tickets:
>>>>      - 729 - CA to include transport certificate when submitting 
>>>> archival request to DRM
>>>>      - 730 - DRM to detect presence of transport certificate 
>>>> attribute in submitted archival
>>>>              request and validate transport certificate against 
>>>> DRM's transport key list
>>>>      - 731 - DRM to provide handling for alternative transport key 
>>>> based on detected
>>>>              and validated transport certificate arriving as a part 
>>>> of extended archival request
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130930/2289de0e/attachment.htm>

More information about the Pki-devel mailing list