Security Working Group meeting - this Wednesday February 19 - summary results

Alexander Tereschenko aleksandr.v.tereschenko at
Fri Feb 21 23:19:25 AEDT 2020

On 20-Feb-20 17:26, Patrick Williams wrote:
> Can we put something into bmcweb to detect its own
> certificate has expired and generate a new one?

The idea here is to discourage any prolonged use of the default 
self-signed certs at all, as they don't provide full protection from 
MitM attacks. That's why the 30 days validity period was suggested 
(compared to current 10 years) and discussed during the meeting. Adding 
an auto-regeneration feature would be going directly against that idea, 
so I personally wouldn't vote for that.

> I know self-signed certs aren't great, but the minute I have more than 6
> systems I'm not going to want to follow some "BMC Admin Guide" to update
> certificates by hand.  So we're effectively forcing everyone to develop
> some kind of certificate management infrastructure, without providing
> (or pointing to an existing) implementation.
I'd say that in such context, you'd be using one of the configuration 
management systems (Puppet/Chef/Salt/Ansible/homegrown scripts/whatnot) 
anyway, as that's a standard system administration BKM, so IMHO that's a 
reasonable assumption at the OpenBMC project end that it's not going to 
add any noticeable burden for BMC admins.

More information about the openbmc mailing list