Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Paswordless PKI mode (with CRL for revocation) #3832

Open
wociscz opened this issue Sep 21, 2017 · 5 comments

Comments

@wociscz
Copy link

commented Sep 21, 2017

I've tried pki setup with lxd server and lxc clients - works perfect. But i was little bit dissapointed because there still need to be "paired" or "trusted" clients and servers with password. With your own CA the advantage of it is only you shouldn't check fingerprints of certificates.
Wouldn't be more useful when - if you using your own CA - you should omit passwords in trusting - the trust is replaced with CA where you could revoke certificates?

Don't know if i am clear in my idea - I'd like to have trusted everything without password, based only on validity of certificates issued by my own CA. Before i started with pki in lxd i imagined that this should supposed to work like that.
Is this bad idea in some crypto best practices or security risk at some point (not security expert)?
Maybe some switch/config parameters when pki is in action some lxc config core.trust_passwordless true?
so PKI mode should be passwordless and "standard" self-generating certificates mode should be password-present?

(i know, i can add fingerprints/certificates before trusting, with lxc config trust)

@wociscz wociscz changed the title PKI setup passwordless? Feature Request: PKI setup passwordless? Sep 21, 2017
@stgraber

This comment has been minimized.

Copy link
Member

commented Sep 21, 2017

So the main issue right now is that there is no CRL handling in LXD. So the need for the client to be added to the server's trust store is the only mechanism in place to allow you to remove a client.

@wociscz

This comment has been minimized.

Copy link
Author

commented Sep 21, 2017

Ah, so when (if) crl/ocsp support will be added - this shoud be possible.. so do you have some kind of "wish list"?

@stgraber

This comment has been minimized.

Copy link
Member

commented Sep 21, 2017

Yeah, I think once we support having a .crl file on both the client and server, then we can add a flag allowing for password-less trust.

@stgraber stgraber changed the title Feature Request: PKI setup passwordless? Paswordless PKI mode (with CRL for revocation) Sep 21, 2017
@stgraber stgraber added the Feature label Sep 21, 2017
@stgraber stgraber added this to the later milestone Sep 21, 2017
@wociscz

This comment has been minimized.

Copy link
Author

commented Sep 21, 2017

Thanks!

@stgraber

This comment has been minimized.

Copy link
Member

commented Sep 21, 2017

PKI mode isn't something we're spending very much time on so I may get to it at some point on my spare time, but if you want this implemented quickly, it may be faster for you to send a branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.