[Pki-devel] Feature page for DRM transport key rotation
Andrew Wnuk
awnuk at redhat.com
Thu Sep 12 16:12:50 UTC 2013
On 09/12/2013 08:55 AM, Andrew Wnuk wrote:
> On 09/12/2013 08:30 AM, Ade Lee wrote:
>> Hi Andrew,
>>
>> Just a couple of questions/comments.
>>
>> 1. Please update to indicate that this will be targeted to 10.1.
Done.
>>
>> 2. As you noted, many of the steps around the generation and propagation
>> of the transport keys will be provided as manual steps for 10.1. Its
>> likely though that we will want to provide restful interfaces to do
>> these operations, perhaps in 10.2. Please create trac tickets for this
>> - and we can triage accordingly.
>>
We need to plan next steps and this is a good topic for "technical
discussion" meeting.
>> 3. If we have an old CA which communicates with a DRM, and it does not
>> supply a DRM certificate with the archival request, is there any way of
>> determining whether the transport cert used to encrypt the key is valid?
>>
>> If it isn't, and there is no way of doing so, then we could end up
>> reporting success, when in fact the key would be indecipherable.
> I talked earlier with Bob about this and other scenarios.
> There are safeguards in NSS so in case described above our current
> archiving procedure will fail as it should.
>
> Andrew
>> Ade
>>
>>
>> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>>> Feature page for DRM transport key rotation has been added:
>>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>>
>>>
>>> Please review and provide comments.
>>> Thanks,
>>> Andrew
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>
More information about the Pki-devel
mailing list