Proposal for the connected redfish client info
Ivan Mikhaylov
i.mikhaylov at yadro.com
Fri Mar 27 03:18:26 AEDT 2020
On Thu, 2020-03-26 at 09:01 -0500, Patrick Williams wrote:
> On Thu, Mar 26, 2020 at 01:54:05PM +0530, Ratan Gupta wrote:
> > > > This confuses me, how are you getting the serial number for a
> > > > connected client? If so, have you looked into data protection laws
> > > > and storing Personally Identifiable Information?
> > >
> > > Client have to give this info, it could be anything like hostname of
> > > the client, serial number of the machine etc, it is up to the client
> > > what they want to provide as part of client identifier.
> > >
> > > Why it is needed?
> > >
> > > Consider the below use case
> > >
> > > => Client(x.x.x.x) creates the session with BMC
> > >
> > > => BMC stores this IP(x.x.x.x)
> > >
> > > => Now say Client IP(x.x.x.x) got change to y.y.y.y but the session is
> > > still valid.
> > >
> > > => Stored IP(x.x.x.x) will not be much usable here in this scenario
> > >
> > > => Here Client Identifier may be usable to identify the connected client.
> > >
> > > Let me know your thoughts here.
>
> IP addresses are a terrible way of attempting to identify a client
> anyhow. Aren't there hundreds of implementations of authentication
> tokens used in web technologies? Why are we attempting to invent
> something new?
>
> It seems like much of the internet world has coalesced around JWT.
> https://tools.ietf.org/html/rfc7519
>
I agree with Patrick about tokens as identification, IP addresses are not usable
for this purpose.
More information about the openbmc
mailing list