I am looking into how best to do a install without "trusting" the Internet.
What installation image has the mostest?
How much can I get on the system (need openssl, python stuff, QR code
stuff) without connecting to the Internet? After installing the OS, I
would add other stuff from a repro on a DVD. It has been YEARS since I
built my own repros, but I can probably still find my notes.
This is all to establish a trail of trust for the software on a CA
server with all its ports blocked with security table and making a
Tamper Evident claim.
Best I can figure out is my sole risk is that the bad guy's code
provides the keypair for the certs, rather than the system generating
its own. And this is hard to prove without having a fully trustable
system. At least with a Tamper Evident system, this would have to come
from the code initially installed.
There are mitigations I can apply, but they take time to show that bad
things happened.
Yes, no updates to the software on a system that is expected to do its
job (sign certs) for 10+ years. The root CA system may be used a couple
times a year. The intermediate auth CA probably also a couple times a
year. The intermediate issuing CA could well be doing 100k signings per
day! (see IETF DRIP design for UAS Session IDs). But it will not use a
QR code protocol that requires a human or two, but a USB protocol
between it and the UAS Service Provider (USS) registration system. Only
X509 stuff passed over USB (still needs to be speced).
Only the issuing CA is running all the time. The others are vaulted and
only taken out when the camera is recording.
Fun stuff! The auditors are going to have a field day with me. I am
doing my best that I don't need to spend $100K per CA key signing with
them...
--
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
