On Nov 26, 2007 8:11 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > I was thinking about the funcd->certmaster interaction this weekend and > the problem we have with the localhostname that the system gets being > nothing the certmaster can really use or care about sensibly - for > example: somehostname.localdomain uncd -> > > it ends up meaning we have a system which can get a signed cert but we > cannot connect to from the certmaster using func b/c we don't have a > connectable hostname. > > With that in mind I was wondering if it wouldn't make sense to have the > funcd->certmaster interaction be more involved: > > funcd -> startup > funcd -> knock, knock, certmaster > funcd -> who am I? > certmaster -> I see you as foo.bar.org > funcd -> here's my csr for foo.bar.org > certmaster -> thanks > > later after the sysadmin signs the csr > > funcd -> knock, knock, certmaster > funcd -> who am I? > certmaster -> I see you as foo.bar.org > funcd -> here's my csr for foo.bar.org > certmaster -> yes, good, here's the cert for you, foo.bar.org. > funcd -> great, we're done. > > That way we know that the ip/name that the certmaster is seeing on the > connect is the same one that funcd is using in its cert. > > Now, obvious problem here is NAT - but that was going to be a problem > anyway afaik. > > thoughts on this? DHCP would also be an issue correct? funcd0 -> landshark mitm -> certmaster knock, knock, certmaster certmaster -> landshark mitm -> funcd0 I see you as lshark.bar.org funcd0 -> landshark mitm -> certmaster here's my csr for lshark.bar.org certmaster -> landshark mitm -> funcd0 Cool, here's your cert. funcd0 -> landshark mitm -> certmaster Great, we're done. funcd1 -> landshark mitm -> certmaster knock, knock, certmaster certmaster -> landshark mitm -> funcd1 I see you as lshark.bar.org funcd1 -> landshark mitm -> certmaster here's my csr for lshark.bar.org ???? what happens then ???? ------ Second Case ----- funcd0-DHCP0 -> certmaster knock, knock, certmaster certmaster -> funcd0-DHCP0 I see you as lshark.bar.org funcd0-DHCP0 -> certmaster here's my csr for lshark.bar.org certmaster -> funcd0-DHCP0 Cool, here's your cert. funcd0-DHCP0 -> certmaster Great, we're done. funcd1-DHCP0 -> certmaster knock, knock, certmaster certmaster -> funcd1-DHCP0 I see you as lshark.bar.org funcd1-DHCP0 -> certmaster here's my csr for lshark.bar.org ???? -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
