On Mon, 2007-11-26 at 14:50 -0700, Stephen John Smoogen wrote: > On Nov 26, 2007 8:11 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > I was thinking about the funcd->certmaster interaction this weekend and > > the problem we have with the localhostname that the system gets being > > nothing the certmaster can really use or care about sensibly - for > > example: somehostname.localdomain > uncd -> > > > it ends up meaning we have a system which can get a signed cert but we > > cannot connect to from the certmaster using func b/c we don't have a > > connectable hostname. > > > > With that in mind I was wondering if it wouldn't make sense to have the > > funcd->certmaster interaction be more involved: > > > > funcd -> startup > > funcd -> knock, knock, certmaster > > funcd -> who am I? > > certmaster -> I see you as foo.bar.org > > funcd -> here's my csr for foo.bar.org > > certmaster -> thanks > > > > later after the sysadmin signs the csr > > > > funcd -> knock, knock, certmaster > > funcd -> who am I? > > certmaster -> I see you as foo.bar.org > > funcd -> here's my csr for foo.bar.org > > certmaster -> yes, good, here's the cert for you, foo.bar.org. > > funcd -> great, we're done. > > > > That way we know that the ip/name that the certmaster is seeing on the > > connect is the same one that funcd is using in its cert. > > > > Now, obvious problem here is NAT - but that was going to be a problem > > anyway afaik. > > > > thoughts on this? > > DHCP would also be an issue correct? > > > funcd0 -> landshark mitm -> certmaster knock, knock, certmaster > certmaster -> landshark mitm -> funcd0 I see you as lshark.bar.org > funcd0 -> landshark mitm -> certmaster here's my csr for lshark.bar.org > certmaster -> landshark mitm -> funcd0 Cool, here's your cert. > funcd0 -> landshark mitm -> certmaster Great, we're done. > > funcd1 -> landshark mitm -> certmaster knock, knock, certmaster > certmaster -> landshark mitm -> funcd1 I see you as lshark.bar.org > funcd1 -> landshark mitm -> certmaster here's my csr for lshark.bar.org > ???? what happens then ???? > > ------ Second Case ----- > > funcd0-DHCP0 -> certmaster knock, knock, certmaster > certmaster -> funcd0-DHCP0 I see you as lshark.bar.org > funcd0-DHCP0 -> certmaster here's my csr for lshark.bar.org > certmaster -> funcd0-DHCP0 Cool, here's your cert. > funcd0-DHCP0 -> certmaster Great, we're done. > > funcd1-DHCP0 -> certmaster knock, knock, certmaster > certmaster -> funcd1-DHCP0 I see you as lshark.bar.org > funcd1-DHCP0 -> certmaster here's my csr for lshark.bar.org > ???? If the hostname is changing randomly there's not going to be a way to contact the host via func, anyway. So that use case is kinda moot. Think of it the same way as having a webserver which is randomly changing it's ip address and hostname. You're sol on consistently contacting the webserver and you'll know for damned sure the ssl certs won't match. :) If another box submits the same csr for lshark.bar.org as the certmaster got originally it will hand it back the proper cert. If the csr is NOT the same then it will belch out an error and tell the asking box to go die. does that make sense? -sv
