[Pki-devel] Feature page for DRM transport key rotation
Andrew Wnuk
awnuk at redhat.com
Thu Sep 12 19:18:06 UTC 2013
Re-sending my undelivered posts below.
On 09/12/2013 11:49 AM, Nathan Kinder wrote:
> On 09/12/2013 08:30 AM, Ade Lee wrote:
>> Hi Andrew,
>>
>> Just a couple of questions/comments.
>>
>> 1. Please update to indicate that this will be targeted to 10.1.
Done.
>>
>> 2. As you noted, many of the steps around the generation and propagation
>> of the transport keys will be provided as manual steps for 10.1. Its
>> likely though that we will want to provide restful interfaces to do
>> these operations, perhaps in 10.2. Please create trac tickets for this
>> - and we can triage accordingly.
> +1. The intention is to get transport key rotation working (with some
> manual procedures) in 10.1. We may very well want to add some
> enhancements to avoid some of the manual procedures as a next step in
> a future release. It will be a lot easier to make this decision once
> we know what the manual procedures entail. The design doc should say
> that the procedures will be manual as a first cut, and that we might
> choose to automate them as a future enhancement. The way it is
> currently worded makes it sound like we will never have nicer
> automated procedures, which isn't the case.
>>
>> 3. If we have an old CA which communicates with a DRM, and it does not
>> supply a DRM certificate with the archival request, is there any way of
>> determining whether the transport cert used to encrypt the key is valid?
>>
>> If it isn't, and there is no way of doing so, then we could end up
>> reporting success, when in fact the key would be indecipherable.
I talked earlier with Bob about this and other scenarios.
There are safeguards in NSS so in case described above our current
archiving procedure will fail as it should.
>>
>> Ade
>>
>>
>> On Wed, 2013-09-11 at 15:12 -0700, Andrew Wnuk wrote:
>>> Feature page for DRM transport key rotation has been added:
>>> http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
>>>
>>>
>>> Please review and provide comments.
>>> Thanks,
>>> Andrew
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
More information about the Pki-devel
mailing list