Re: Bootstrapping

[Nate Campi]

On Wed, Feb 18, 2004 at 09:59:48AM +0100, Mark.Burgess@iu.hio.no wrote:
> 
> I think this sounds a bit too scary for me. It makes all hosts
> who have connected previously "equal" in security terms.
> I shall give it some thought.

I certainly don't think my suggestion is a great solution, just the
simplest that came to mind.

Think about how you'd solve this problem: you want to offer a cfengine
policy server and fileserver to the internet at large.

You have working basic configurations for all the UNIXes you know about,
to do simple securing. Small businesses or individuals can install
cfengine, grab your public key and an update.conf and rely on you to
keep their machine secured in a general manner (file perms, disable
services). Paying customers get a server that's updated with security
patches instead of the basic stuff the free server does, and available
customization.

The short answer is that cfengine wasn't designed for such a scenario,
that the trust relationships won't work. 

This problem has been solved already with PKI, it's a matter of whether
it's warranted to refit cfengine with an additional trust model. I could
have my own CA, issue certs over HTTPS when clients sign up, or however
it makes sense to issue them.

I have good assurance that the IPSec gateway on the other end of my ESP
tunnel is the device I think it is, due to PKI, and I'm not stuck with
all the restrictions of IPs and DNS domains that cfengine places on me.
I want the same flexibility in cfengine that I have with IPSec.

P.S. Ignore the technical issues with supplying generalized cfengine
configs to the public, that's not the point here.

P.P.S. I'm not a PKI expert, I might be overlooking something basic
about it. The point is that these things are done with other security
protocols already.
-- 
Nate

"If you torture the data enough, it will confess."    - Ronald Coase.