[Server-devel] OATs delegations -- change in procedure -- need to use sig01 format too...
Martin Langhoff
martin.langhoff at gmail.com
Sun Apr 25 00:40:52 EDT 2010
In recent setups of antitheft, I have indicated that when creating
delegations from the master keys to the XS keys, you must use the
"--act" parameter for the activation / lease key delegations, and skip
it for the "oats" key delegations.
I was wrong.
The main difference there is that when you pass --act, it creats
"del01" delegations, which include the SN and UUID for each laptop.
Without "--act", we create "del02" delegations which don't mention the
UUID, because on an initial analysis it was understood that the use of
OAT protocol doesn't require to know the UUID. However, you need the
UUID to build the "stolen" message.
- If you have scripts now creating delegations for your lease and
oats keys (calling obc-make-server-delegations), make sure you have
"--act" on both.
- We should make --act a no-op, so we just forget about it in the
future. Gonzalo and Daniel have been working on the scripts and I am a
bit behind on what they've done. Guys, would be great if you apply
this -- or I'll patch it later in the week.
(There's a bit of a mess to be sorted out in bios-crypto -- the
"master" branch has a few new things, and has split-off the scripts to
a sub-package. We cannot follow the split-off for the XS 0.6 because a
yum update will leave the XS without the the scripts.)
Anyone working on antitheft should also see this inglorious bastard
bug http://dev.laptop.org/ticket/10132
m
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Server-devel
mailing list