[389-devel] Please review: [Bug 182507] clear-password mod from replica is discarded before changelogged
Andrey Ivanov
andrey.ivanov at polytechnique.fr
Tue Dec 14 14:18:57 UTC 2010
Hi Noriko,
i've read the changelog encryption design document. Indeed, it's a
sound idea to make AD-389 replication more robust. I have two
questions about it:
* if i understand correctly you say that the server needs a
certificate in order to generate the symmetric key. Is this key
generated only once? I mean, if we change the expired server
certificate it won't trigger the symmetric key regeneration?
* The replication changelog that contains the mixed entries
(cleartext, encrypted 3DES, encrypted AES etc) - is it still readable
by the server? Does each changelog entry contain a flag that describes
whether the entry is cleartext/AES/3DES? Can the server "detect" in
any other way whether the changelog entry is encrypted and if yes with
what type of cypher?
Thank you
More information about the 389-devel
mailing list