From: Michael Richardson <mcr@sandelman.ca>
To: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: BMCWeb policy for HTTPS site identity certificate
Date: Sun, 26 Jul 2020 16:35:18 -0400 [thread overview]
Message-ID: <14851.1595795718@localhost> (raw)
In-Reply-To: <d50417a7-3cc2-1674-b4d1-09283c4ddaf5@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 1864 bytes --]
Joseph Reynolds <jrey@linux.ibm.com> wrote:
> Problem:
> BMCWeb apparently treats certificates that are either expired or not valid
> until a future date as unusable (investigation needed). And BMCWeb deletes
> unusable certificates. This can confuse the administrator, especially
> considering the BMC's time-of-day clock may not be set as expected.
> Proposal:
> What certificate management policy should BMCWeb use? Here is an initial
> proposal:
> 1. certificate is perfectly good - Use the certificate.
okay.
> 2. certificate is good but expired or not yet valid - Use the certificate and
> log a warning.
very good.
> 3. certificate is missing or bad format or algorithm too old - Use another
> certificate or self-generate a certificate (and log that action).
> In no case should BMCWeb should delete any certificate.
I think that there is a problem in 3.
"certificate is missing" is pretty much unambiguous.
"bad format" depends a bit upon evolution of libraries.
In particular, a new version of libssl might support some new algorithm, and
then should the firmware be rolled back, it will "bad format".
So I suggest that the certificate+keypair is never deleted, but may be renamed.
I think that we could have a debate about getting telemetry about bad
certificates back via HTTP.
I think that there are some operational considerations relating to
determining root cause that may trump some security issues relating to
telling bad actors whether they have succeeded in damaging a certificate.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2020-07-26 20:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-23 15:25 BMCWeb policy for HTTPS site identity certificate Joseph Reynolds
2020-07-26 20:35 ` Michael Richardson [this message]
2020-07-27 15:15 ` Bruce Mitchell
2020-07-27 15:36 ` Ed Tanous
2020-07-28 17:03 ` Michael Richardson
2020-07-29 2:31 ` Ed Tanous
2020-07-27 17:32 ` Patrick Williams
2020-07-28 17:04 ` Michael Richardson
2020-07-29 2:28 ` Ed Tanous
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14851.1595795718@localhost \
--to=mcr@sandelman.ca \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.