[Pki-devel] Feature page for DRM transport key rotation

Andrew Wnuk awnuk at redhat.com
Thu Sep 12 19:18:06 UTC 2013 

Re-sending my undelivered posts below.

On 09/12/2013 11:49 AM, Nathan Kinder wrote:
> On 09/12/2013 08:30 AM, Ade Lee wrote:
>> Hi Andrew,
>>
>> Just a couple of questions/comments.
>>
>> 1. Please update to indicate that this will be targeted to 10.1.
Done.
>>
>> 2. As you noted, many of the steps around the generation and propagation
>> of the transport keys will be provided as manual steps for 10.1.  Its
>> likely though that we will want to provide restful interfaces to do
>> these operations, perhaps in 10.2.  Please create trac tickets for this
>> - and we can triage accordingly.
> +1.  The intention is to get transport key rotation working (with some 
> manual procedures) in 10.1.  We may very well want to add some 
> enhancements to avoid some of the manual procedures as a next step in 
> a future release.  It will be a lot easier to make this decision once 
> we know what the manual procedures entail.  The design doc should say 
> that the procedures will be manual as a first cut, and that we might 
> choose to automate them as a future enhancement.  The way it is 
> currently worded makes it sound like we will never have nicer 
> automated procedures, which isn't the case.
>>
>> 3.  If we have an old CA which communicates with a DRM, and it does not
>> supply a DRM certificate with the archival request, is there any way of
>> determining whether the transport cert used to encrypt the key is valid?
>>
>> If it isn't, and there is no way of doing so, then we could end up
>> reporting success, when in fact the key would be indecipherable.
I talked earlier with Bob about this and other scenarios.
There are safeguards in NSS so in case described above our current 
archiving procedure will fail as it should.
>>
>> Ade
>>
>>
>> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>>> Feature page for DRM transport key rotation has been added:
>>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>>
>>>
>>> Please review and provide comments.
>>> Thanks,
>>> Andrew
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>

More information about the Pki-devel mailing list