SPAKE, DTLS and passwords
Joseph Reynolds
jrey at linux.ibm.com
Wed Oct 6 03:22:34 AEDT 2021
On 10/5/21 10:09 AM, Michael Richardson wrote:
> Joseph Reynolds <jrey at linux.ibm.com> wrote:
> > On 10/4/21 4:47 PM, Michael Richardson wrote:
> >> Joseph Reynolds <jrey at linux.ibm.com> wrote:
> >> > The planned IPMI over DLTS function will have certificate-based
> >> > authuentication.
> >>
> >> Do you mean that the server will be authenticated with a certificate, or that
> >> it will use mutual authentication?
>
> > I understand this means mutual-TLS.
> > Based on the gerrit design:
> > https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/31548/4/designs/ipmi-over-dtls.md
>
> So, why is a password needed?
Password-based auth of IPMI over DTLS is wanted to satisfy use cases for
installations who cannot or will not use mTLS.
The OpenBMC security working group notes may not be entirely clear. Here
is the larger context:
- mTLS based authentication of IPMI over DTLS [1] is being designed.
- We are discussing protocols for an *optional* password-based
authentication of IPMI over DTLS.
- Password-based auth of IPMI over DTLS is wanted to satisfy use cases
for users who cannot or will not use mTLS.
- We haven't discussed if password auth will be enabled by default. I
assume there would be a compile-time configuration and there will be a
way to compile it out of the server.
[1]: https://gerrit.openbmc-project.xyz/c/openbmc/docs
-Joseph
>
> > Note that design also says the server will have an identity certificate; same
> > as the HTTPS certificate described in
> > https://github.com/openbmc/bmcweb/blob/master/README.md
>
More information about the openbmc
mailing list