per-entity - [Per-Entity] deploying TLS on the MDQ server
Subject: Per-Entity Metadata Working Group
List archive
- From: Tom Scavo <>
- To: Per-Entity Metadata Working Group <>
- Subject: [Per-Entity] deploying TLS on the MDQ server
- Date: Thu, 8 Sep 2016 08:47:05 -0400
- Ironport-phdr: 9a23:Bc5Rfh/Eq/3Qkf9uRHKM819IXTAuvvDOBiVQ1KB90escTK2v8tzYMVDF4r011RmSAtWdtqkP0reempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBX660e/5j8KGxj5KRE9ZqGsQtaT3IyL0LWK9oeWTgNUhSasKZZ/MBy6pBnY/vYRm4hjLKl55QHOv2MAL/xb3yZlI06SgwfU58G7+5tm9CIWvOguoZ1uS6L/Kpg/SPRjBz04NChh+NfwvhDdSiOO4GcRSGMbjkAODgTYukKpFqztuzf347IukBKROtf7GPVtAWyv
The key word on the subject line is "deploy." Personally, I'm not
convinced that the benefits of TLS outweigh the costs (especially if
we tighten validUntil) but in order to advance the discussion, let me
ask the relevant deployment questions:
1) What CA signs the TLS server certificate?
2) What is the expiration date on the TLS certificate?
3) How do we handle revocation?
I'll give one possible deployment scenario:
1) The metadata signing key also signs the TLS server certificate.
2) TLS certificates are short-lived, on the order of days.
3) Revocation is not necessary (since TLS certificates are short-lived).
The above deployment has teeth but I'm afraid it is nontrivial to
implement. Are there other deployment scenarios that are easier to
implement yet meet our needs?
Tom
- [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Steve Thorpe, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
Archive powered by MHonArc 2.6.19.