Re: Bootstrapping

[Mark . Burgess]

> The short answer is that cfengine wasn't designed for such a scenario,
> that the trust relationships won't work. 
> 
> This problem has been solved already with PKI, it's a matter of whether
> it's warranted to refit cfengine with an additional trust model. I could
> have my own CA, issue certs over HTTPS when clients sign up, or however
> it makes sense to issue them.

I don't think PKI solves anything in a mobile environment. 
You are just having to trust someone else to tell you 
something that isn't certain. It doesn't help. No this is a
rather deep problem actually. 

A fingerprint model is a possibilty but then you have the
issue of how to refer to the owners of those keys in the
admit: ACLs. If you cannot know the IP address, then how do
you do access control? Using random fingerprints would be
very cumbersome to maintain.

M

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~