From: Nathan Scott <nathans@redhat.com>
To: Josh Stone <jistone@redhat.com>
Cc: systemtap@sourceware.org
Subject: Re: Possible systemtap/NSS areas of extension
Date: Fri, 15 Feb 2013 04:56:00 -0000 [thread overview]
Message-ID: <2042332300.3117989.1360904190732.JavaMail.root@redhat.com> (raw)
In-Reply-To: <511D1873.9000807@redhat.com>
Hi Josh,
----- Original Message -----
> On 02/14/2013 01:46 AM, Nathan Scott wrote:
> > 4. system-wide NSS database
> > - There appears to be a move toward consolidation of system/host
> > certificate databases, at least for NSS-based databases. An
> > API has been added to facilitate transitioning to use of the
> > system-wide shared SQL NSS database - NSSInitWithMerge. It'd
> > be an option for systemtap, if transitioning to the new form
> > is considered a desirable feature at some point, to use this
> > to merge the existing systemtap database with the system-wide
> > database.
>
> Perhaps I misunderstand you, but we need to be really careful due to
> what is implied by the certificates we accept. We need not just
> "this
> host's claimed identity is confirmed" but also "I trust this host to
> feed me a module which I'll load in my kernel." A systemwide
> database
> for the likes of internet browsers is certainly not suitable for that
> kernel level of trust.
If its good enough to trust all my banking details to, I guess I'd
trust my kernel to it as well. ;)
But seriously, you make a good point. I note the stap-servers cert
DB path is setup for only stap-server to read and write, whereas the
/etc/pki/nssdb is setup for only root to write and anyone to read.
Also, stap-server is doing relatively exotic things with certificates
(signing and trusting its own certificates, etc) and programatically,
so putting these in the same system DB might not make sense.
I might have missed it in the earlier mail, but theres a move to also
be able to share the per-user certificates in ~HOME/.pki/nssdb as well
which the stap client might consider using too.
I think from an admin point of view, using common locations would make
life easier (in terms of sharing CA certs, revoking certs, etc - tools
like nss-gui point to the standard locations by default, and so on) -
but it might well not be suited for systemtap.
cheers.
--
Nathan
prev parent reply other threads:[~2013-02-15 4:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1394151552.2635240.1360833812143.JavaMail.root@redhat.com>
2013-02-14 9:47 ` Nathan Scott
2013-02-14 17:01 ` Josh Stone
2013-02-15 4:56 ` Nathan Scott [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2042332300.3117989.1360904190732.JavaMail.root@redhat.com \
--to=nathans@redhat.com \
--cc=jistone@redhat.com \
--cc=systemtap@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).