FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-21-2008, 06:44 PM
Toshio Kuratomi
 
Default securing FAS certs

Hey bright idea bringers!

The Fedora Certificates issued by FAS are currently set to be
autogenerated if you have an account in FAS. This has one drawback. We
have to keep the password for the CA keys that sign the FAS certificates
in a file on the filesystem so that the automatic signing can use them.


Has anyone else had to confront this problem? Right now I'm thinking of
coding something that involves human interaction to sign the certs and
send email notifying people when their cert is ready to download.
That's certainly doable, but introduces a wait time that isn't in the
current design. I'd love input on better ways to do this.


-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 07:18 PM
"Jeffrey Ollie"
 
Default securing FAS certs

2008/8/21 Toshio Kuratomi <a.badger@gmail.com>:
>
> The Fedora Certificates issued by FAS are currently set to be autogenerated
> if you have an account in FAS. This has one drawback. We have to keep the
> password for the CA keys that sign the FAS certificates in a file on the
> filesystem so that the automatic signing can use them.
>
> Has anyone else had to confront this problem? Right now I'm thinking of
> coding something that involves human interaction to sign the certs and send
> email notifying people when their cert is ready to download. That's
> certainly doable, but introduces a wait time that isn't in the current
> design. I'd love input on better ways to do this.

What about using a crypto card like Jesse plans on using for Sigul?

Jeff

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 07:21 PM
Mike McGrath
 
Default securing FAS certs

On Thu, 21 Aug 2008, Jeffrey Ollie wrote:

> 2008/8/21 Toshio Kuratomi <a.badger@gmail.com>:
> >
> > The Fedora Certificates issued by FAS are currently set to be autogenerated
> > if you have an account in FAS. This has one drawback. We have to keep the
> > password for the CA keys that sign the FAS certificates in a file on the
> > filesystem so that the automatic signing can use them.
> >
> > Has anyone else had to confront this problem? Right now I'm thinking of
> > coding something that involves human interaction to sign the certs and send
> > email notifying people when their cert is ready to download. That's
> > certainly doable, but introduces a wait time that isn't in the current
> > design. I'd love input on better ways to do this.
>
> What about using a crypto card like Jesse plans on using for Sigul?
>

I've never actually used a crypto card... Do they add additional security
if they're sitting in a colo always plugged in? If so how do they do
that?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 07:25 PM
"Jeffrey Ollie"
 
Default securing FAS certs

On Thu, Aug 21, 2008 at 2:21 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> On Thu, 21 Aug 2008, Jeffrey Ollie wrote:
>> What about using a crypto card like Jesse plans on using for Sigul?
>
> I've never actually used a crypto card... Do they add additional security
> if they're sitting in a colo always plugged in? If so how do they do
> that?

I'm not sure either, but the impression that I get is that while you
can get the crypto card to sign certificates, you can't extract the
private key from it.

Jeff

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 07:34 PM
Ricky Zhou
 
Default securing FAS certs

On 2008-08-21 02:21:34 PM, Mike McGrath wrote:
> I've never actually used a crypto card... Do they add additional security
> if they're sitting in a colo always plugged in? If so how do they do
> that?
I might be wrong, but I think with such a card, encryption/signing takes
place entirely on the card, and thus the secret key is never transferred
anywhere off the card.

Thanks,
Ricky
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 07:40 PM
Mike McGrath
 
Default securing FAS certs

On Thu, 21 Aug 2008, Ricky Zhou wrote:

> On 2008-08-21 02:21:34 PM, Mike McGrath wrote:
> > I've never actually used a crypto card... Do they add additional security
> > if they're sitting in a colo always plugged in? If so how do they do
> > that?
> I might be wrong, but I think with such a card, encryption/signing takes
> place entirely on the card, and thus the secret key is never transferred
> anywhere off the card.
>

Ah, so the theory being that if someone happens to hit us, they're only
hitting us for as long as the machine is up / card is in. And I assume
the card actually tracks serial numbers and things so we can revoke
anything that was signed in a questionable time?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-21-2008, 08:22 PM
Toshio Kuratomi
 
Default securing FAS certs

Mike McGrath wrote:

On Thu, 21 Aug 2008, Ricky Zhou wrote:


On 2008-08-21 02:21:34 PM, Mike McGrath wrote:

I've never actually used a crypto card... Do they add additional security
if they're sitting in a colo always plugged in? If so how do they do
that?

I might be wrong, but I think with such a card, encryption/signing takes
place entirely on the card, and thus the secret key is never transferred
anywhere off the card.



Ah, so the theory being that if someone happens to hit us, they're only
hitting us for as long as the machine is up / card is in. And I assume
the card actually tracks serial numbers and things so we can revoke
anything that was signed in a questionable time?

That seems like it would work well. Jesse's been having troubles
obtaining the card he wants, though (and his is a gpg card, not for ssl
certificates).


the big thing might be having open source drivers.

-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-22-2008, 08:06 PM
David Lutterkort
 
Default securing FAS certs

On Thu, 2008-08-21 at 14:18 -0500, Jeffrey Ollie wrote:
> What about using a crypto card like Jesse plans on using for Sigul?

I wonder if a TPM can be (ab)used for this, too; they are pretty common
on newer hardware, and store a key in HW that can not be extracted.

Not sure though if anybody has looked at using it to sign SSL certs, and
especially at keeping logs of what was signed in a way that makes it
impossible to tamper with those logs, e.g. to hide the signing of some
certs.

David


_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-22-2008, 08:53 PM
Mike McGrath
 
Default securing FAS certs

On Fri, 22 Aug 2008, David Lutterkort wrote:

> On Thu, 2008-08-21 at 14:18 -0500, Jeffrey Ollie wrote:
> > What about using a crypto card like Jesse plans on using for Sigul?
>
> I wonder if a TPM can be (ab)used for this, too; they are pretty common
> on newer hardware, and store a key in HW that can not be extracted.
>
> Not sure though if anybody has looked at using it to sign SSL certs, and
> especially at keeping logs of what was signed in a way that makes it
> impossible to tamper with those logs, e.g. to hide the signing of some
> certs.
>

Possibly. I was looking earlier too for something like ssh-agent or gpg
agent to serve this purpose... Haven't seen anything. Which.. well
strikes me as strange. It'd be a software way to do what we're talking
about.

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-23-2008, 07:43 AM
Mark Wormgoor
 
Default securing FAS certs

Toshio Kuratomi schreef:

Mike McGrath wrote:

On Thu, 21 Aug 2008, Ricky Zhou wrote:


On 2008-08-21 02:21:34 PM, Mike McGrath wrote:
I've never actually used a crypto card... Do they add additional
security

if they're sitting in a colo always plugged in? If so how do they do
that?

I might be wrong, but I think with such a card, encryption/signing takes
place entirely on the card, and thus the secret key is never transferred
anywhere off the card.



Ah, so the theory being that if someone happens to hit us, they're only
hitting us for as long as the machine is up / card is in. And I assume
the card actually tracks serial numbers and things so we can revoke
anything that was signed in a questionable time?

That seems like it would work well. Jesse's been having troubles
obtaining the card he wants, though (and his is a gpg card, not for ssl
certificates).


Most of these cards work with OpenSSL just fine - though I'm not sure
what additional hardware drivers are required to interface to the card.


All the card does is protect the private key from being obtained. When
someone has (root) access to the machine, he can use the key for signing
anyway. As such, an hsm should be connected only to a very secure
machine, not running any other services and with highly restricted
access. Connecting one to a Xen machine does not sound like a good idea


These keys are protected against hardware intrusion depending on their
security level and will zero out the keys upon hardware tampering.


Kind regards,

Mark

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 09:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org