All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ed Tanous <ed@tanous.net>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Patrick Williams <patrick@stwcx.xyz>,
	Joseph Reynolds <jrey@linux.ibm.com>,
	openbmc <openbmc@lists.ozlabs.org>
Subject: Re: BMCWeb policy for HTTPS site identity certificate
Date: Tue, 28 Jul 2020 19:28:08 -0700	[thread overview]
Message-ID: <CACWQX83hOUEVS4hjy3MSwhwUnb9U+SjktJPsWKkTzRygX4pxuw@mail.gmail.com> (raw)
In-Reply-To: <18129.1595955887@localhost>

On Tue, Jul 28, 2020 at 10:06 AM Michael Richardson <mcr@sandelman.ca> wrote:
>
>     > I'm less settled on using a certificate which is clearly expired, but it
>     > is still likely better than using a newly-generated self-signed
>     > certificate.

The original implementation just caught the
X509_V_ERR_CERT_NOT_YET_VALID error and ignored it, but your idea
would work as well.

One thing we had considered is requiring that the CERT date be at
minimum AFTER the firmware build date, under the assumption that the
build machine had a good grasp on what time it was at the time.  We
could use this for gating the upload of a new cert, but can't use it
for invalidating a cert that already exists, as we run into the
"upgrade causes denial of service" problem.

      reply	other threads:[~2020-07-29  2:28 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-23 15:25 BMCWeb policy for HTTPS site identity certificate Joseph Reynolds
2020-07-26 20:35 ` Michael Richardson
2020-07-27 15:15   ` Bruce Mitchell
2020-07-27 15:36   ` Ed Tanous
2020-07-28 17:03     ` Michael Richardson
2020-07-29  2:31       ` Ed Tanous
2020-07-27 17:32 ` Patrick Williams
2020-07-28 17:04   ` Michael Richardson
2020-07-29  2:28     ` Ed Tanous [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACWQX83hOUEVS4hjy3MSwhwUnb9U+SjktJPsWKkTzRygX4pxuw@mail.gmail.com \
    --to=ed@tanous.net \
    --cc=jrey@linux.ibm.com \
    --cc=mcr@sandelman.ca \
    --cc=openbmc@lists.ozlabs.org \
    --cc=patrick@stwcx.xyz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.