[OpenWrt-Devel] ucert
Daniel Golle
daniel at makrotopia.org
Wed Aug 8 18:37:14 EDT 2018
Hi John,
On Wed, Aug 08, 2018 at 08:07:01PM +0200, John Crispin wrote:
> Hi All,
>
> $magic feature, please elaborate, kthxbye
ucert [1] is a way to allow trust delegation and revocation on top of
usign/signify intended for sysupgrade images.
Functionality to make use of ucert to automatically sign generated
images and verify them on the target has recently been added to OpenWrt
(image signatures are verified if present, they are not mandatory
unless $REQUIRE_IMAGE_SIGNATURE is set to '1').
Background: During battlemesh in Porto we decided upon sysupgrade image
metadata and also had a vague idea how signing sysupgrade images would
be implemented in the same fashion as image metadata. However, when
@aparcar came up with the sysupgrade-image-server [2] we quickly
realised that simply using usign won't be sufficient or at least it
felt a bit fishy to have an eternal irrevokable private key on a
machine processing complex input from anonymous users of The Internet.
Hence, in this year's wireless meshup we discussed how the most simple
way to delegate (and limit and possibly revoke) keys to those automated
build servers could work. After mapping out the basic idea, WIO [3]
agreed to sponsor the initial development of ucert.
Apart from sysupgrade images, ucert may also be used for other payloads
in situations where using X.509/ASN.1 or relying on TLS isn't feasible,
such as config distribution/provisioning.
For example on low-cost routers (eg. devices with only 4MB flash):
Using opkg (even to just update the openwrt-keyring) or stroring
ca-certificates for X.509 or using GnuPG would be utopic on those
boxes.
If you or anyone got any questions regarding ucert, always feel free
to contact me!
Cheers
Daniel
[1]: https://git.openwrt.org/?p=project/ucert.git;a=blob;f=README.md
[2]: https://github.com/aparcar/attendedsysupgrade-server
[3]: http://wiowireless.com
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list