From: Joseph Reynolds <jrey@linux.ibm.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Vernon Mauery <vernon.mauery@linux.intel.com>,
openbmc <openbmc@lists.ozlabs.org>
Subject: Re: SPAKE, DTLS and passwords
Date: Tue, 5 Oct 2021 11:22:34 -0500 [thread overview]
Message-ID: <92a68c9a-beeb-0b2b-6e91-6700eb91c1b5@linux.ibm.com> (raw)
In-Reply-To: <27674.1633446561@localhost>
On 10/5/21 10:09 AM, Michael Richardson wrote:
> Joseph Reynolds <jrey@linux.ibm.com> wrote:
> > On 10/4/21 4:47 PM, Michael Richardson wrote:
> >> Joseph Reynolds <jrey@linux.ibm.com> wrote:
> >> > The planned IPMI over DLTS function will have certificate-based
> >> > authuentication.
> >>
> >> Do you mean that the server will be authenticated with a certificate, or that
> >> it will use mutual authentication?
>
> > I understand this means mutual-TLS.
> > Based on the gerrit design:
> > https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548/4/designs/ipmi-over-dtls.md
>
> So, why is a password needed?
Password-based auth of IPMI over DTLS is wanted to satisfy use cases for
installations who cannot or will not use mTLS.
The OpenBMC security working group notes may not be entirely clear. Here
is the larger context:
- mTLS based authentication of IPMI over DTLS [1] is being designed.
- We are discussing protocols for an *optional* password-based
authentication of IPMI over DTLS.
- Password-based auth of IPMI over DTLS is wanted to satisfy use cases
for users who cannot or will not use mTLS.
- We haven't discussed if password auth will be enabled by default. I
assume there would be a compile-time configuration and there will be a
way to compile it out of the server.
[1]: https://gerrit.openbmc-project.xyz/c/openbmc/docs
-Joseph
>
> > Note that design also says the server will have an identity certificate; same
> > as the HTTPS certificate described in
> > https://github.com/openbmc/bmcweb/blob/master/README.md
>
next prev parent reply other threads:[~2021-10-05 16:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 1:35 Security Working Group meeting - Wednesday September 29 Joseph Reynolds
2021-10-04 15:15 ` Joseph Reynolds
2021-10-04 21:47 ` SPAKE, DTLS and passwords Michael Richardson
2021-10-05 14:50 ` Joseph Reynolds
2021-10-05 15:09 ` Michael Richardson
2021-10-05 16:22 ` Joseph Reynolds [this message]
2021-10-05 15:24 ` SPAKE, DTLS and passwords + aPAKE and SCRAM Joseph Reynolds
2021-10-13 20:51 ` Vernon Mauery
2021-10-13 20:51 ` SPAKE, DTLS and passwords Vernon Mauery
2021-10-04 21:49 ` Security Working Group meeting - Wednesday September 29 Michael Richardson
2021-10-04 22:08 ` Bruce Mitchell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=92a68c9a-beeb-0b2b-6e91-6700eb91c1b5@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=mcr@sandelman.ca \
--cc=openbmc@lists.ozlabs.org \
--cc=vernon.mauery@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).