Per-Entity Metadata Working Group

[Tom Scavo <>]

On Thu, Jul 28, 2016 at 6:45 PM, Cantor, Scott 
<>
 wrote:
> On 7/28/16, 5:46 PM, 
> "
>  on behalf of Nick Roy" 
> <
>  on behalf of 
> >
>  wrote:
>
>>    Securing the MDQ server with the key you're using to sign metadata 
>> seems like the worst > possible approach because you're putting that 
>> signing key at risk by having it on a live, > Internet-facing server.
>
> Probably getting into the weeds here, but sure, you'd probably chain the 
> TLS key off of the real key and assume that your TLS-client software can 
> leverage that path to verify the server, or something like that. Or it 
> could be a totally disjoint key.

Yes, and eliminate the signing key and cert from the MDQ server
altogether. The pull system we've deployed on mdq-beta is probably not
the way to go. We should push signed metadata from a secure location
(like UKf is doing) to an MDQ server with a TLS key as described
above. This need not be a phase 1 feature in any case.

Tom