On Tue, 2006-09-05 at 22:27 +0000, David Lutterkort wrote: > On Wed, 2006-08-30 at 13:28 -0600, Jeffrey Law wrote: > > Dropping the two cert stuff and having the client generate its own > > persistent cert from the start changes *very* little. In fact, > > it really just means the server never generates client certs and > > the client stores the initial cert it generates persistently rather > > than in a tmpfs. We wouldn't need revoke-on-connect certs which > > means a little less work for David. > > Just to be clear: the temporary certs won't be revoke-on-connect (at > least, I hadn't planned on adding that functionality to puppet), instead > they'll have a short time during which they are valid, say 5 minutes, > and won't ever hit the CRL. > > I could add revocation of the temporary certs, but I am a little worried > about the CRL swelling seriously and having to make sure that expired > certs get trimmed off the CRL regularly. I think we're moving away from the temporary cert stuff. About all it's really buying us is closer adherence to the stateless model. I'm pretty sure we'll still be able to do everything we want using normal certs for bootstrapping. We're still going to need the "expect a cert from host XXX shortly", please sign it capability for sites that want unattended installs without blindly turning on auto-sign. We're going to be distributing the CA's cert as part of the readonly image we scribble onto the client disks per Mark's suggestion. That avoids certain MITM problems. I think everything else stays as-is. I'm sure I'll be corrected if I've mis-interpreted anyone's position ;-) jeff