User:Martinlanghoff/Key Autonomy: Country PoV: Difference between revisions
Jump to navigation
Jump to search
| Line 39: | Line 39: | ||
* Setup an ''offline'' signing machine |
* Setup an ''offline'' signing machine |
||
* Prepare and sign custom OS image |
* Prepare and sign custom OS image |
||
* |
* Activation Server |
||
** Procure internet accessible machine. (CoLo?) |
|||
** Install, configure |
|||
** Procure HTTPS cert (or self-sign) |
|||
* Load keys on Activation Server |
* Load keys on Activation Server |
||
Revision as of 08:59, 14 October 2009
Main options / variables
- Augment or Replace OLPC keys
- Delivery Chain Security
- Time-based activation + active kill
to do: Summarize the top level concerns
Simple Scenario: Delivery Chain Security
Preparations
- Generate country keys
- Setup an offline signing machine
- Load keys on signing machine
- Prepare and sign custom OS image
- Handle first shipment
With each shipment:
- Load data from Quanta to signing machine
- Associate SNs to schools
- Generate activation keys (universal, per school)
On every OS update
- Sign OS / kernel / initrd / OFW images
Other:
- Setup a formal workflow for developer key requests
- Generate
Advanced Scenario: Time-based Activation + Active Kill
Preparations
- Generate country keys
- Setup an offline signing machine
- Prepare and sign custom OS image
- Activation Server
- Procure internet accessible machine. (CoLo?)
- Install, configure
- Procure HTTPS cert (or self-sign)
- Load keys on Activation Server
With each shipment:
- Load data from Quanta to Activation Server
- Generate activation keys (optional, may be used as a complement to XS-based activation)
On every OS update
- Sign OS / kernel / initrd / OFW images
Other:
- Setup a formal 'report XO as stolen' workflow, and mark the XOs as stolen on the Activation Server.
- Review devkey request on the Activation Server.
- Regularly update the delegations on the Activation Server.
What is?
What is: Signed OS images?
to do
What is: A signing server?
to do