Re: Adding Passim as a Fedora 40 feature?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Monday, 28 August 2023 22:07:50 BST Richard Hughes wrote:
> On Mon, 28 Aug 2023 at 21:50, Simo Sorce <simo@xxxxxxxxxx> wrote:
> > It could be improved by using TOFU, so that the window of impersonation
> > is small, but requires clients to cache an association and then has
> > weird failure modes to be dealt with if one of the actors get re-imaged
> > or changes the cert for any reason.
> I was thinking of implementing TOFU; good idea or bad idea?
> Richard.

What identity do you attach the "first use" to, and how do you discover that 
the identify is expected to have a certificate change?

In the SSH use case, the identity is the host name, and if the host name is 
expected to rekey, then the user is told that there's an issue and has to 
manually intervene.

With this use case, I can't see how I tell you that there's been an expected 
rekeying event - nor am I clear on how I'd work out that a change of key is 
expected so that I can tell you to permit a rekey.
Simon Farnsworth

devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux