Survey for Certificate Management Needs
Richard Hanley
rhanley at google.com
Tue May 5 08:19:42 AEST 2020
On Mon, May 4, 2020 at 2:21 PM Michael Richardson <mcr at sandelman.ca> wrote:
> Richard Hanley <rhanley at google.com> wrote:
> > 3) Finally we need to
> > support revocations lists. AFIAK, there is no support for this today.
>
> What are the certificates you speak of for?
> If you are talking about HTTPs end-point certificates for bmcweb, then
> there
> is nothing to do for CRLs, because CRLs aren't a function of the HTTPS
> End-Entity certificate you are worried about.
>
> They are provided by the CA, and it's a problem of the HTTP browser to
> validate.
>
So I don't understand your CRL point.
>
>
I think that CRL becomes more of an issue when communication is
mutually authenticated. If a client is given a certificate from the CA,
then there should be a way for that client's cert to be revoked on a BMC.
> > Finally, I'm expecting we will need an out of band mechanism to talk
> > with hardware root of trust (e.g. OpenTitan https://opentitan.org/).
>
> Possibly.
>
> --
> ] Never tell me the odds! | ipv6 mesh
> networks [
> ] Michael Richardson, Sandelman Software Works | IoT
> architect [
> ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on
> rails [
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200504/17f9bab1/attachment.htm>
More information about the openbmc
mailing list