Survey for Certificate Management Needs

Richard Hanley rhanley at google.com
Tue May 5 04:04:20 AEST 2020


Hi Everyone,

We've been having a lot of internal discussions about how we want to manage
certificates/credentials on a BMC out of band. I wanted to get an idea
about what we broadly need as a community, and if it matches some of our
needs.

For authentication I see three core requirements:
  1) We need everything supported through mTLS. This is already supported
through in bmcweb.      2) We also need all certificates to be rotated.
This might be supported through Redfish OEM extensions.
  3) Finally we need to support revocations lists. AFIAK, there is no
support for this today.

For authorization we would like to support dynamic role configuration. A
reference implementation for this kind of functionality is Role Based
Access Control (RBAC) in envoy
<https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/rbac/v2/rbac.proto>
.

Finally, I'm expecting we will need an out of band mechanism to talk with
hardware root of trust (e.g. OpenTitan https://opentitan.org/).

I'd be interested to hear how this matches up with other organizations'
needs. I imagine supporting this upstream in Redfish would involve some
changes to the spec, and some changes to bmcweb. So I want to gauge
interest in this beefed up security posture.

Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200504/55544c95/attachment.htm>


More information about the openbmc mailing list