-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package for platform identity trust anchors #20
Comments
The Do we need the oxide anchors in that file, or do we just need the individual certificates and hash links to them? If they should be in the consolidated file, the easiest thing would be to extend the package in helios-omnios-build. An alternative approach would be to restructure things and introduce a new SMF service for building the combined file from fragments delivered by packages. I have a slight preference for not adding any more things into compactor but I can see the argument for keeping the oxide anchors separate. |
Thanks for all of this data. I'm pretty ignorant of the helios stuff so this is super useful. My current thinking / assumptions are this: Certs for PKIs related to web / HTTPS stuff typically live in the 'ca cert' packages. This is an assumption but after scanning through the The certs we're talking about packaging in this case are for the PKI used to bind a public key unique to a platform with the platforms assigned barcode / serial number. If we were to add these PKI roots to the An even less desirable outcome of packaging our platform identity root certs in this way would be the impact on the components that evaluate the trustworthiness of assertions made about a platforms identity. We should trust only our PKI roots for this purpose which means that if bundled together these tools will need to specifically ignore the other certs from the bundle. This feels like a "red flag" to me as a bug in this code may cause us to accept platform identity assertions from CAs in the Mozilla CA Cert Store. This would be undesirable. My current approach / design goals are:
I'm currently working up scripts to build packages that meet these goals. Whether this lives in the garbage-compactor or elsewhere isn't something I have strong feelings about. |
I have no such preference for keeping Oxide specifics out of the compactor, FWIW. I find it substantially easier to reason about. |
These live in the evidence room as PEM encoded x.509 certs. This package should be something like the packages of trust anchors / ca-certs for HTTPS in linux distros.
The text was updated successfully, but these errors were encountered: