SSL Certificate management proposal.
Hariharasubramanian Ramasubramanian
hramasub at in.ibm.com
Wed Aug 1 23:05:29 AEST 2018
"openbmc" <openbmc-bounces+hramasub=in.ibm.com at lists.ozlabs.org> wrote on
07/31/2018 11:21:27 PM:
> From: Ed Tanous <ed.tanous at intel.com>
> To: Jayanth Othayoth <ojayanth at gmail.com>, openbmc at lists.ozlabs.org,
> bradleyb at fuzziesquirrel.com
> Date: 07/31/2018 11:21 PM
> Subject: Re: SSL Certificate management proposal.
> Sent by: "openbmc"
<openbmc-bounces+hramasub=in.ibm.com at lists.ozlabs.org>
>
> On 07/31/2018 07:49 AM, Jayanth Othayoth wrote:
> >
> > The workflow for updating a signed certificate on the BMC consists of:
> > 1. Generating a CSR on the BMC
> > 2. Exporting the CSR from the BMC onto the user?s storage device
> > 3. Obtaining a singed certificate corresponding to the CSR from a CA
> > 4. Importing the signed certificate on the BMC
> >
>
> This workflow is somewhat of a non starter for a lot of organizations
> and IT departments.
Could you please share your thoughts on why this is so ?
> First, it requires that every BMC have its own
> private key, which isn't always desired.
_Sharing_ the private is a potential security risk. If the private key
were to be compromised, then _all_ systems sharing the key are exposed.
Hence I'm inclined to argue that private key should not be shared.
> Second, it means that you either have to be able to specify all
> parameters that a user would want to specify about his key (number of
> bits, EC vs RSA, ect).
What really is the concern here ? What's the challenge in invoking the
REST API with a json body describing the key type & size ?
> Third, it requires that every BMC be provisioned by the intermediate
> authority, which can be difficult if keys either have a cost associated
> with them, or are difficult to acquire.
The cost considerations could potentially be different for Enterprise
class servers and servers deployed on the cloud ? I presume enterprises
would favour security to cost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180801/d5e4b150/attachment-0001.html>
More information about the openbmc
mailing list