From: Michael Richardson <mcr@sandelman.ca>
To: "openbmc\@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - this Wednesday February 19 - summary results
Date: Mon, 24 Feb 2020 11:19:14 -0500 [thread overview]
Message-ID: <21543.1582561154@localhost> (raw)
In-Reply-To: <18a2f2f6-7281-8884-20c2-eceee87c3bea@linux.intel.com>
[-- Attachment #1: Type: text/plain, Size: 1707 bytes --]
James Feist <james.feist@linux.intel.com> wrote:
> I think the original motivation of 10 years was something above the average
> support cycle of a server, so on first boot the user has something they can
> use to login to the server with.
That's not a crazy consideration to me.
> That being said, if the browser wont let you
> in, that is obviously more important. 30 days seems a bit too strict
> considering shipping / unpacking times make it likely you'll have an expired
> certificate upon arrival. But if we can't come to an agreement, we can always
> make this configurable.
1) it would be good to clarify what browsers are really going to do.
2) it won't apply to CURL, etc. which might be used to onboard a system
automatically.
3) you can't make it configurable, because you can't configure it if you
can't connect :-)
825 days (27 months, so 2yr plus some wiggle room) is definitely what they
are going to for built-in trust anchors. I'm not sure if this will apply
to trust anchors that are loaded into browsers by end users, or if that
configuration will somehow be attached to the trust anchor.
So, if 825 days is a good default, I'd make it 820 days, and after 410 days,
I'd have the self-signed certificate resigned, but not generate a new private
key. This allows for mgmt stations to pin the public key of the BMC,
ignoring the actual certificate contents.
I will try to send a patch to do this.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2020-02-24 16:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-17 22:29 Security Working Group meeting - this Wednesday February 19 Joseph Reynolds
2020-02-19 23:05 ` Security Working Group meeting - this Wednesday February 19 - summary results Joseph Reynolds
2020-02-20 16:26 ` Patrick Williams
2020-02-21 12:19 ` Alexander Tereschenko
2020-02-21 20:10 ` Patrick Williams
2020-02-21 20:21 ` Bruce Mitchell
2020-02-21 20:26 ` Patrick Williams
2020-02-21 20:29 ` James Feist
2020-02-24 16:19 ` Michael Richardson [this message]
2020-02-26 11:58 ` Alexander Tereschenko
2020-02-26 13:34 ` Michael Richardson
2020-02-24 16:14 ` Michael Richardson
2020-03-03 17:56 ` Gunnar Mills
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21543.1582561154@localhost \
--to=mcr@sandelman.ca \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.