On Mon, 2023-08-28 at 22:07 +0100, Richard Hughes wrote: > On Mon, 28 Aug 2023 at 21:50, Simo Sorce <simo@xxxxxxxxxx> wrote: > > It could be improved by using TOFU, so that the window of impersonation > > is small, but requires clients to cache an association and then has > > weird failure modes to be dealt with if one of the actors get re-imaged > > or changes the cert for any reason. > > I was thinking of implementing TOFU; good idea or bad idea? That depends on how you are going to handle re-installs of peers in the network where the certificate will start mismatching ... How do you handle certificate expiration ? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
