Re: Puppet Bootstrapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-09-05 at 22:27 +0000, David Lutterkort wrote:
> On Wed, 2006-08-30 at 13:28 -0600, Jeffrey Law wrote:
> > Dropping the two cert stuff and having the client generate its own
> > persistent cert from the start changes *very* little.  In fact,
> > it really just means the server never generates client certs and
> > the client stores the initial cert it generates persistently rather
> > than in a tmpfs.  We wouldn't need revoke-on-connect certs which
> > means a little less work for David.
> 
> Just to be clear: the temporary certs won't be revoke-on-connect (at
> least, I hadn't planned on adding that functionality to puppet), instead
> they'll have a short time during which they are valid, say 5 minutes,
> and won't ever hit the CRL.
> 
> I could add revocation of the temporary certs, but I am a little worried
> about the CRL swelling seriously and having to make sure that expired
> certs get trimmed off the CRL regularly.
I think we're moving away from the temporary cert stuff.   About all
it's really buying us is closer adherence to the stateless model.
I'm pretty sure we'll still be able to do everything we want using
normal certs for bootstrapping.

We're still going to need the "expect a cert from host XXX shortly",
please sign it capability for sites that want unattended installs
without blindly turning on auto-sign.

We're going to be distributing the CA's cert as part of the readonly
image we scribble onto the client disks per Mark's suggestion.  That
avoids certain MITM problems.

I think everything else stays as-is.  I'm sure I'll be corrected if
I've mis-interpreted anyone's position ;-)

jeff


[Index of Archives]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux