http://bugzilla.novell.com/show_bug.cgi?id=550395
User jdsn@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=550395#c4
J. Daniel Schmidt
So its up to the vendor to create (and install) a certificate ?!
Yes, exaclty.
If it comes to deployment every customer has to create his own certificate(s)
customer ? I guess you mean 'vendor', the one creating the appliance.
Sure, I meant 'vendor'. No customer (in terms of end-user) needs to bother with CA certificates.
Question is, whats the default certificate delivered with yast2-webclient ?
It might sound crazy - but what about "none"? This is the best way to force the vendor to create its own certificates. A server certificate needs to match the hostname or in special cases the IP address of the server. We do not know either of these. For our beta releases or demo images we could ship our self signed certificate - but these images should never be deployed to a production system.
The current one is self-generated ('webyast team') and serves the needs to run over https. Since its packaged inside a(n autobuild) signed package, it has an established chain of trust.
This only deals with encryption of the traffic but not with trust so far. Only we know (or believe the ones who know) how the certificates are created. And I doubt that our security team will allow to ship our CA certificate as a trusted CA.
Can we package a 'Novell Inc' or 'SUSE Linux Products GmbH' certificate instead ?
You mean, we should act as a CA and ship signed certificates and include our CA certificate into the appliance? I would not do this. This is a very big administrative effort. If we act as a CA handing out singed certificates they could be (mis)used for anything else and thus lowering our own trustworthiness. For any abuse of a service with such a certificate we will be contacted.
Which advice can we give appliance vendors ?
I would definitely advise them to create their own certificates and either let them be signed by their own CA or by a known CA whose certificate is alreday shipped with the openssl-certs package. Therefore I'd recommend that we ship no certificate at all with the Add-On product in order to force the vendor to create one. Feel free to comment to this bug but I will close this as WONTFIX now. For any other solution we should setup a meeting together with Michael Calmer (for SLMS and SSL) and the security team and discuss all issues. (Note: I fixed the summary.) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.