Revision a7c6552d doc/design-2.2.rst
b/doc/design-2.2.rst | ||
---|---|---|
233 | 233 |
may accept unverified certificates. The generated certificate should |
234 | 234 |
only be valid for the time necessary to move the instance. |
235 | 235 |
|
236 |
For additional protection of the instance data, the two clusters can |
|
237 |
verify the certificates exchanged via the third party by signing them |
|
238 |
using HMAC with a key shared among the involved clusters. If the third |
|
239 |
party does not know this secret, it can't forge the certificates and |
|
240 |
redirect the data. Unless disabled by a new cluster parameter, verifying |
|
241 |
the HMAC must be mandatory. The HMAC will be prepended to the |
|
242 |
certificate and only covers the certificate (from ``-----BEGIN |
|
243 |
CERTIFICATE-----`` to ``-----END CERTIFICATE-----``). |
|
244 |
|
|
236 | 245 |
On the web, the destination cluster would be equivalent to an HTTPS |
237 | 246 |
server requiring verifiable client certificates. The browser would be |
238 | 247 |
equivalent to the source cluster and must verify the server's |
Also available in: Unified diff