[Zope3-dev] Re: Why do we distribute SSL server keys and certs?
Jim Fulton
jim at zope.com
Sun Oct 15 12:25:58 EDT 2006
Tres Seaver wrote:
...
>> We also distribute a private key to be used for sftp. (Shouldn't there
>> be a corresponding public key?) This seems like a very bad idea too.
>
> Keys should be generated inside 'mkzopeinstance.py', never shipped. We
> should probably add scripts for (re)doing the generation, as well.
Well, mkzopeinstance doesn't enable ssl, so I don't think it
needs to do anything of the sort. Aren't there already tools
for generating keys? Surely, we shouldn't have to provide them
ourselves. My intuition is that people should have to learn
enough about ssl to use find and use existing tools to generate
ssl keys/certs before taking the responsibility for running an ssl
server.
...
> I didn't realize that we were shipping them at all.
> Are the shipped certs part of Twisted? In that case, we need to report
> this as an upstream bug.
No, they are a part of zopeskel (another peeve of mine :).
>> BTW, are there tests of the HTTPS and SFTP support?
>
> No se. Remove the code and see what breaks ;).
Sounds like a good project for someone.
I have a feeling that it won't break any tests, in which case
it should be removed until someone is willing to take responsibilty
for it.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list