On Mon, Dec 31, 2007 at 11:56:43AM -0500, Greg Troxel wrote:
 >   [cgdconfig getting remote keys]
 > 
 > That seems reasonable.
 > 
 > I would lean towards plain UDP with a simple protocol, and protect it
 > with IPsec.  That should defeat even active network attackerers.  But
 > TCP seems fine too, and then you can skip the retransmision code.

I would lean towards pgp-encrypted keys fetched using something like
curl, because that way you get the most flexibility in the transport
and all you need to host the keys is a web server. With proper use of
pgp (and possibly additional nonces to prevent replay attacks) it
should be safe to use plain http.

This suggests that the mechanism inside cgdconfig should maybe be a
simple callout, so that different key-fetching scripts can be used.
(Well, "simple", because to do it this way the key has to be returned
somehow without touching the disk...)

It sounds like a good idea overall.

-- 
David A. Holland
dholland@netbsd.org