help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootstrapping


From: Mark . Burgess
Subject: Re: Bootstrapping
Date: Wed, 18 Feb 2004 17:59:36 +0100 (MET)

> The short answer is that cfengine wasn't designed for such a scenario,
> that the trust relationships won't work. 
> 
> This problem has been solved already with PKI, it's a matter of whether
> it's warranted to refit cfengine with an additional trust model. I could
> have my own CA, issue certs over HTTPS when clients sign up, or however
> it makes sense to issue them.

I don't think PKI solves anything in a mobile environment. 
You are just having to trust someone else to tell you 
something that isn't certain. It doesn't help. No this is a
rather deep problem actually. 

A fingerprint model is a possibilty but then you have the
issue of how to refer to the owners of those keys in the
admit: ACLs. If you cannot know the IP address, then how do
you do access control? Using random fingerprints would be
very cumbersome to maintain.

M

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





reply via email to

[Prev in Thread] Current Thread [Next in Thread]