Date and Location
at 15:00-16:00 (EET, UTC+2)
Location: Microsoft Teams
Discussion items
# | Item | Notes |
---|---|---|
1 | Summary of development activities | Summary of ongoing development activities. |
2 | Security Server Sidecar with remote database | Now that we have support for X-Road packages without depending on a local PostgreSQL installation, we have also looked at adding support for it to the Security Server Sidecar Docker image. The way that the X-Road package works is that we have a separate version on the package that doesn't require PostgreSQL as a dependency and then a default one, which does. On the Sidecar, we determined that this left us with the following options for supporting it:
For option two, NIIS will provide the following to make the transition smoother: Guide(s) or tools for existing users to support and simplify database migration. As the amount of different setups might potentially be very large, we would cover the following cases:
In October 2022, the X-Road Working Group decided that alternative 2 will be implemented. Special attention will be given to the deprecation path so that users don't accidentally install the latest version automatically and break their environment. Most likely the best approach is to deprecate the current image and move it to a new name. |
3 | Security Server Toolkit handover from DVV to NIIS | We have released version 4.0.0 of the X-Road Security Server toolkit, the first official release by NIIS following the handover from DVV. The release switched the default certificate profile from the Finnish certificate profile to the EJBCA one. It also introduced support for the Estonian SkKlass3 certificate profile. The toolkit currently supports Ubuntu versions 18 and 20, with the packages available on a PyPy repository hosted on our Artifactory at https://artifactory.niis.org/artifactory/xroad-extensions-release-pypi/. For more information about how to install and use the toolkit, please refer to the documentation available at https://github.com/nordic-institute/X-Road-Security-Server-toolkit/blob/master/docs/xroad_security_server_toolkit_user_guide.md. |
4 | Serving Global Configuration over HTTPS | Currently, global configuration is served plaintext over HTTP. The authenticity and integrity are guaranteed using digital signatures. However, the use of HTTP exposes global configuration to some other threats which is why it would be better to distribute it over HTTPS. In general, moving the global configuration to HTTPS would require the following steps:
The above method would not provide TLS authentication (there is no guarantee that the Central Server is authentic) since the TLS certificate needs to be a general one. Of course, global configuration itself is signed and verifying the signature proves its authenticity. Adding TLS authentication requires more work, and can be implemented in two different ways:
To implement alternative 1, one possibility is to sign the global configuration delivery TLS certificate using the same key that is in the configuration anchor (=global configuration sign key), and the configuration client is modified to require HTTPS and to verify the certificate against the key in the anchor (and to not accept other CAs). However, this would not provide any guarantees about the party downloading the configuration (that is, the Central Server can not authenticate the Security Server downloading the configuration). Instead, implementing alternative 2 is more complicated (e.g., how to initialize a Security Server without a valid certificate - global conf is downloaded during the initialisation process), but it would make global configuration more secure since only Security Servers with a valid certificate could access it. For example, currently, global configuration is publicly available when federation is enabled. In June 2022, the X-Road Working Group decided that alternative 1 (One-way TSL - Central Server is authenticated) will be implemented. The implementation will be included inversion 7.3.0 (Q2/2023) or 7.4.0 (Q4/2023). |
5 | Open topics | Discussion on open topics. |
Next meetings |
|