Per-Entity Metadata Working Group

[Jorj Bauer <>]

On 7/28/16 7:11 PM, Tom Scavo wrote:
> On Thu, Jul 28, 2016 at 6:45 PM, Cantor, Scott 
> <>
>  wrote:
> > On 7/28/16, 5:46 PM, 
> > "
> >  on behalf of Nick Roy" 
> > <
> >  on behalf of 
> > >
> >  wrote:
> >
> > >    Securing the MDQ server with the key you're using to sign metadata seems like 
> > > the worst > possible approach because you're putting that signing key at risk by 
> > > having it on a live, > Internet-facing server.
> >
> > Probably getting into the weeds here, but sure, you'd probably chain the TLS 
> > key off of the real key and assume that your TLS-client software can leverage 
> > that path to verify the server, or something like that. Or it could be a 
> > totally disjoint key.
>
> Yes, and eliminate the signing key and cert from the MDQ server
> altogether. The pull system we've deployed on mdq-beta is probably not
> the way to go. We should push signed metadata from a secure location
> (like UKf is doing) to an MDQ server with a TLS key as described
> above. This need not be a phase 1 feature in any case.

Hidden master. +1.