[Server-devel] Doubts about the delegation mechamism
Martin Langhoff
martin.langhoff at gmail.com
Tue Apr 20 15:07:08 EDT 2010
On Tue, Apr 20, 2010 at 2:42 PM, Juan G. Narvaez <gnrvzsix at gmail.com> wrote:
> but my doubt is how the XSs can generate leases?
Each XS has its own key. It generates the leases with its own key.
The XO does not know the key of the XS -- it knows the keys it has in
the OFW "manufacturing data". In your case, this will be the a1 key
(activation) of La Rioja.
So the XS creates the lease with its own key, and when it serves it,
it _also serves some extra data_. The extra data is a delegation,
which says "the owner of the a1 key trusts and delegates the power to
the XS key for this SN, valid until <date>". That message is signed
with the a1 key..
Just like GPG. I am pretty sure you don't know karora at debian.org but
if you get an email from him, the gpg trust network will show that you
trust me (my keys actually), and I trust Karora and his keys.
Sometimes, he even trusts me, but he isn't *that* drunk often.
The statement that "martin trusts karora" is actually a structured
message ("key xyz trusts key zyx") signed with the keys conferring the
trust.
hth,
m
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Server-devel
mailing list