Survey for Certificate Management Needs

Richard Hanley rhanley at google.com
Tue May 5 08:19:42 AEST 2020


On Mon, May 4, 2020 at 2:21 PM Michael Richardson <mcr at sandelman.ca> wrote:

> Richard Hanley <rhanley at google.com> wrote:
>     > 3) Finally we need to
>     > support revocations lists. AFIAK, there is no support for this today.
>
> What are the certificates you speak of for?
> If you are talking about HTTPs end-point certificates for bmcweb, then
> there
> is nothing to do for CRLs, because CRLs aren't a function of the HTTPS
> End-Entity certificate you are worried about.
>
> They are provided by the CA, and it's a problem of the HTTP browser to
> validate.
>
So I don't understand your CRL point.
>
>
I think that CRL becomes more of an issue when communication is
mutually authenticated.  If a client is given a certificate from the CA,
then there should be a way for that client's cert to be revoked on a BMC.


>     > Finally, I'm expecting we will need an out of band mechanism to talk
>     > with hardware root of trust (e.g. OpenTitan https://opentitan.org/).
>
> Possibly.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200504/17f9bab1/attachment.htm>


More information about the openbmc mailing list