Revision a7c6552d doc/design-2.2.rst
| b/doc/design-2.2.rst | ||
|---|---|---|
| 233 | 233 |
may accept unverified certificates. The generated certificate should |
| 234 | 234 |
only be valid for the time necessary to move the instance. |
| 235 | 235 |
|
| 236 |
For additional protection of the instance data, the two clusters can |
|
| 237 |
verify the certificates exchanged via the third party by signing them |
|
| 238 |
using HMAC with a key shared among the involved clusters. If the third |
|
| 239 |
party does not know this secret, it can't forge the certificates and |
|
| 240 |
redirect the data. Unless disabled by a new cluster parameter, verifying |
|
| 241 |
the HMAC must be mandatory. The HMAC will be prepended to the |
|
| 242 |
certificate and only covers the certificate (from ``-----BEGIN |
|
| 243 |
CERTIFICATE-----`` to ``-----END CERTIFICATE-----``). |
|
| 244 |
|
|
| 236 | 245 |
On the web, the destination cluster would be equivalent to an HTTPS |
| 237 | 246 |
server requiring verifiable client certificates. The browser would be |
| 238 | 247 |
equivalent to the source cluster and must verify the server's |
Also available in: Unified diff