Hi Noriko, i've read the changelog encryption design document. Indeed, it's a sound idea to make AD-389 replication more robust. I have two questions about it: * if i understand correctly you say that the server needs a certificate in order to generate the symmetric key. Is this key generated only once? I mean, if we change the expired server certificate it won't trigger the symmetric key regeneration? * The replication changelog that contains the mixed entries (cleartext, encrypted 3DES, encrypted AES etc) - is it still readable by the server? Does each changelog entry contain a flag that describes whether the entry is cleartext/AES/3DES? Can the server "detect" in any other way whether the changelog entry is encrypted and if yes with what type of cypher? Thank you -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
