per-entity - RE: [Per-Entity] deploying TLS on the MDQ server
Subject: Per-Entity Metadata Working Group
List archive
- From: Paul Caskey <>
- To: Thomas Scavo <>, Per-Entity Metadata Working Group <>
- Subject: RE: [Per-Entity] deploying TLS on the MDQ server
- Date: Thu, 8 Sep 2016 12:51:09 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:hHml4RAbDzqgtE97wHIqUyQJP3N1i/DPJgcQr6AfoPdwSP79psbcNUDSrc9gkEXOFd2Crakb26yL6Ou5BCQp2tWojjMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpRZbIBj0NBJ0K+LpAcaSyp3vj6Hhs6HUNjlIgz+0evtJJxyoqk2FqtMNioJ8LY4wzAfEuH1FZ74QyG91cxbbpxvmo+q24J9/4mx1tu4o+8dcWO3FeL47TLpXRBs8NH0trJnzuAOGQA2T52cNemQQmR1NBg/DqhbgUcGinDH9s79F0TSedeb/VrM5SHz296xiUxzlmQ8GMSI06mfalpY2ga5G9kHy7ydjypLZNdnGfMF1ebnQKJZDHTJM
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
To me, it feels like you may be reading too much into the requirements.
Why not just use a regular InCommon server SSL cert like all the other
websites?
It mitigates certain attacks, which is what Scott (and others) was talking
about yesterday.
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Tom
> Scavo
> Sent: Thursday, September 08, 2016 7:47 AM
> To: Per-Entity Metadata Working Group
> <>
> Subject: [Per-Entity] deploying TLS on the MDQ server
>
> The key word on the subject line is "deploy." Personally, I'm not convinced
> that the benefits of TLS outweigh the costs (especially if we tighten
> validUntil) but in order to advance the discussion, let me ask the relevant
> deployment questions:
>
> 1) What CA signs the TLS server certificate?
> 2) What is the expiration date on the TLS certificate?
> 3) How do we handle revocation?
>
> I'll give one possible deployment scenario:
>
> 1) The metadata signing key also signs the TLS server certificate.
> 2) TLS certificates are short-lived, on the order of days.
> 3) Revocation is not necessary (since TLS certificates are short-lived).
>
> The above deployment has teeth but I'm afraid it is nontrivial to implement.
> Are there other deployment scenarios that are easier to implement yet meet
> our needs?
>
> Tom
- [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Steve Thorpe, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, David Walker, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/08/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, IJ Kim, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Mitchell, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Paul Caskey, 09/08/2016
- RE: [Per-Entity] deploying TLS on the MDQ server, Cantor, Scott, 09/09/2016
- Re: [Per-Entity] deploying TLS on the MDQ server, Tom Scavo, 09/09/2016
Archive powered by MHonArc 2.6.19.