FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 08-23-2011, 03:47 AM
Charles Plessy
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

severity 597537 normal
thanks

Dear all,

as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
additional signed recommendations for the addition of the Amazon Elastic
Computer Cloud (EC2) public certificate to the ca-certificates packages.

In Ubuntu it is distributed in the euca2ools packages, that I co-maintain in
Debian, but for the following reasons I think that ca-certificates would be a
better place.

- The original upstream sources of euca2ools do not contain the certificate.
- The Upstream of euca2ools, Eucalyptus, and the provider of the EC2, Amazon,
are not the same company.
- The use of the certificate is not limited to euca2ools.

I attached a copy of the certificate. It is used to bundle machine images
for the EC2. I have not found a web page dedicated to its description.

SHA1 Fingerprint=D3:27:BA:A0:F83:EE:9C:BB:3C:FB:FE:3B :52:65:A8:40:53:5D:0D

It was downloaded from http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip

Although the files in this archive are distributed under the non-free Amazon
Software License (http://aws.amazon.com/asl/), I think that public certificate
is not subject to a licence, since it is not the product of an intellectual
work.

Have a nice day,

--
Charles Plessy
Tsurumi, Kanagawa, Japan
 
Old 08-23-2011, 03:56 AM
Russ Allbery
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Charles Plessy <plessy@debian.org> writes:

> as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
> additional signed recommendations for the addition of the Amazon Elastic
> Computer Cloud (EC2) public certificate to the ca-certificates packages.

As someone not particularly familiar with the details of how certs work
inside EC2, my main question would be: what's the signing policy used by
the holder of the private key for this certificate?

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87r54cok54.fsf@windlord.stanford.edu">http://lists.debian.org/87r54cok54.fsf@windlord.stanford.edu
 
Old 08-23-2011, 09:51 AM
Joachim Breitner
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Hi,

Am Dienstag, den 23.08.2011, 12:47 +0900 schrieb Charles Plessy:
> Although the files in this archive are distributed under the non-free Amazon
> Software License (http://aws.amazon.com/asl/), I think that public certificate
> is not subject to a licence, since it is not the product of an intellectual
> work.

I think the preferred form of modification for a, say, RSA certificate
is the two prime numbers that were used to generate the key pair. Are
they included in the package?

(SCNR)
Joachim

--
Joachim "nomeata" Breitner
Debian Developer
nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
 
Old 08-23-2011, 05:23 PM
Michael Shuler
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

On 08/22/2011 10:56 PM, Russ Allbery wrote:
> Charles Plessy <plessy@debian.org> writes:
>
>> as per /usr/share/doc/ca-certificates/README.Debian, I am looking for
>> additional signed recommendations for the addition of the Amazon Elastic
>> Computer Cloud (EC2) public certificate to the ca-certificates packages.
>
> As someone not particularly familiar with the details of how certs work
> inside EC2, my main question would be: what's the signing policy used by
> the holder of the private key for this certificate?

This is also my question - is this a CA that will be verifying and
signing other certs? (I'll try to dig on the same info, as well)

For the record, I intend to adopt ca-certificates relatively soon, as I
have not heard back from the previous ITA poster in a few weeks. The
package needs some TLC and I have some updates already queued up, but
not pushed to my git repo, yet :-)

--
Kind regards,
Michael
 
Old 08-23-2011, 08:34 PM
Miguel Landaeta
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

On Tue, Aug 23, 2011 at 12:53 PM, Michael Shuler <michael@pbandjelly.org> wrote:
> This is also my question - is this a CA that will be verifying and
> signing other certs? (I'll try to dig on the same info, as well)

AFAIK, this certificate is only used to encrypt your AMIs and transfer them
securely to Amazon. In this way only you and Amazon know about the content
of your AMI, Amazon needs this in order to launch your AMIs in their cloud.

--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAHUk4kzcCDW6GBoqkrTeJTcyoKuhyRu5D+5Z=pbpdYB1bt_P7 A@mail.gmail.com">http://lists.debian.org/CAHUk4kzcCDW6GBoqkrTeJTcyoKuhyRu5D+5Z=pbpdYB1bt_P7 A@mail.gmail.com
 
Old 08-23-2011, 08:54 PM
Russ Allbery
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Miguel Landaeta <miguel@miguel.cc> writes:
> Michael Shuler <michael@pbandjelly.org> wrote:

>> This is also my question - is this a CA that will be verifying and
>> signing other certs? (I'll try to dig on the same info, as well)

> AFAIK, this certificate is only used to encrypt your AMIs and transfer them
> securely to Amazon. In this way only you and Amazon know about the content
> of your AMI, Amazon needs this in order to launch your AMIs in their cloud.

Hm, then it's not actually a CA, is it?

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fwkrzw4y.fsf@windlord.stanford.edu">http://lists.debian.org/87fwkrzw4y.fsf@windlord.stanford.edu
 
Old 08-23-2011, 09:58 PM
graziano obertelli
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

On 08/23/2011 01:54 PM, Russ Allbery wrote:
> Miguel Landaeta <miguel@miguel.cc> writes:
>> Michael Shuler <michael@pbandjelly.org> wrote:
>
>>> This is also my question - is this a CA that will be verifying and
>>> signing other certs? (I'll try to dig on the same info, as well)
>
>> AFAIK, this certificate is only used to encrypt your AMIs and transfer them
>> securely to Amazon. In this way only you and Amazon know about the content
>> of your AMI, Amazon needs this in order to launch your AMIs in their cloud.
>
> Hm, then it's not actually a CA, is it?
>

My understanding is that it used only when using SOAP to communicate
with AWS. If a tool is going to use REST instead, it is not used. Thus
it is not a CA, and it is used only by fewer tools (REST seems more
popular lately).

I think most of the euca2ool calls are not converted to REST. Not sure
how many SOAP calls are leftover.

cheers
graziano

--
Graziano Obertelli
Eucalyptus Systems, Inc.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4E5422A0.1030302@eucalyptus.com">http://lists.debian.org/4E5422A0.1030302@eucalyptus.com
 
Old 08-23-2011, 10:06 PM
Miguel Landaeta
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

On Tue, Aug 23, 2011 at 4:24 PM, Russ Allbery <rra@debian.org> wrote:
> Hm, then it's not actually a CA, is it?

I'm afraid it is not a CA or it is not used as a CA by Amazon Web
Services users. However, it is necessary in order to use effectively those
web services.

If is not reasonable to include this certificate in ca-certificates maybe
it could belong to a cloud computing generic utils package.

I'm a little bit off-topic already but IMO, there is a need for that in Debian.
#592550 is another example of that.

--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAHUk4kwCMqyTx7kuuU0S-AH0bM3QwV+usE72KpXHGRC2wnCneA@mail.gmail.com">http ://lists.debian.org/CAHUk4kwCMqyTx7kuuU0S-AH0bM3QwV+usE72KpXHGRC2wnCneA@mail.gmail.com
 
Old 08-23-2011, 10:34 PM
Russ Allbery
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Miguel Landaeta <miguel@miguel.cc> writes:
> On Tue, Aug 23, 2011 at 4:24 PM, Russ Allbery <rra@debian.org> wrote:

>> Hm, then it's not actually a CA, is it?

> I'm afraid it is not a CA or it is not used as a CA by Amazon Web
> Services users. However, it is necessary in order to use effectively
> those web services.

> If is not reasonable to include this certificate in ca-certificates
> maybe it could belong to a cloud computing generic utils package.

Could you explain more about how the certificate is used? I'm trying to
understand if it gains any benefit from the extra certificate handling
done by ca-certificates, specifically its inclusion in an OpenSSL-hashed
directory, or if it just needs to be in some package somewhere so that it
can be referenced by other software.

It seems strange to include a non-CA certificate in ca-certificates; we
may need a different sort of infrastructure to handle things like this.
(And I think it would be a bit questionable to trust any certificate
signed by that certificate in a web browser, say, which is what would
happen if it were just included in ca-certificates.)

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87r54bycxv.fsf@windlord.stanford.edu">http://lists.debian.org/87r54bycxv.fsf@windlord.stanford.edu
 
Old 08-24-2011, 11:40 AM
Stefano Rivera
 
Default Looking for seconds to add the Amazon EC2 public certificate in ca-certificates.

Hi Miguel (2011.08.23_22:34:47_+0200)
> AFAIK, this certificate is only used to encrypt your AMIs and transfer them
> securely to Amazon. In this way only you and Amazon know about the content
> of your AMI, Amazon needs this in order to launch your AMIs in their cloud.

That's what I've heard (although non-definitively) from someone who used
to maintain ec2-ami-tools for Amazon.

And as Russ asked:
> Hm, then it's not actually a CA, is it?

Correct. It's just some public key material for encryption.

SR

--
Stefano Rivera
http://tumbleweed.org.za/
H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110824114028.GK1738@bach.rivera.co.za">http://lists.debian.org/20110824114028.GK1738@bach.rivera.co.za
 

Thread Tools




All times are GMT. The time now is 08:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org