Re: Bootstrapping

[Nate Campi]

On Mon, Feb 16, 2004 at 10:28:47AM -0600, Luke A. Kanies wrote:
> 
> Server allowing IP access:
> 
> Unfortunately, cfservd cannot grant connection capabilities based on DNS,
> only on IP addresses.  If you are lucky (or smart) enough to have all of
> your clients on the same IP space without untrusted clients on that space,
> then you can simply trust that space, which works well.  If you are
> unfortunate to have clients scattered to the 9 winds (like my current
> client does) you have to build a long and relatively nasty list of IP
> addresses.

Long term we might not want to marry keys to an IP. There are a lot of
situations where authorized clients wander between many different
netblocks. What if I secure my traveling salespeople's laptops using
UNIX and cfengine? The whole time they're away from the office they
can't connect to my cfengine server. That's bad.

I'd end up having to use ssh/rsync or something if not one some
pre-approved network (easy enough to detect with cfengine), and
re-invent the file copying "wheel" when I want to use cfengine's copying
anyways.

I know Mark thought hard about the decisions he made in this area, but
maybe today's multihomed and wandering machines weren't considered when
making this decision?
-- 
Nate

"The existing phrasebooks are inadequate. They are well enough as far as 
they go, but when you fall down and skin your leg they don't tell you 
what to say." - Samuel Clemens