[ofa-general] Re: [PATCH] saquery: --smkey command line option
Hal Rosenstock
hrosenstock at xsigo.com
Fri May 23 04:15:13 PDT 2008
On Fri, 2008-05-23 at 13:06 +0300, Sasha Khapyorsky wrote:
> On 08:10 Thu 22 May , Hal Rosenstock wrote:
> >
> > I think it will tend towards proliferation of keys which will defeat any
> > security/trust. The idea of SMKey was to keep it private between SMs.
> > This is now spreading it wider IMO.
>
> Probably original idea was different,
No; the spec clarification was just that; a clarification of what the
original intent was rather than a change in the original idea.
> but now in IBA spec knowing a valid
> SM_Key is mandatory for privileged SA clients (which need to get whole
> list of MCMemberRecord, ServiceInfo, etc.).
It's a grey area. The issue is what the privileged SA clients should be
used for. I think this use case allows much more common knowledge of the
management keys (in this case the SA key) as it will not just be the
network administrator using it and even if it were, the user would be
looking over his shoulder. That more common knowledge allows for a
malicious user to more easily compromise the subnet.
A better approach to all these trust issues IMO is to use the OpenSM
console to support these types of operations.
-- Hal
> Sasha
More information about the general
mailing list