Hacker News new | past | comments | ask | show | jobs | submit login

Am I mistaken? The author notes in alternative solutions that the alternative solution is a single point of failure and that is a problem.

Is the CA not a single point of failure also?

I agree with one users comment, ansible can solve all of this too...




Of course, if your CA is taken over, you are in big trouble.

However, the attack vector here is much lower given you can have this on a local machine which is not even connected to a network if you like.

The single point of failure for central management solutions is in having them as a running service - if that goes down, you are in trouble.

And that is far more likely than your CA becoming compromised somehow.

Also in practice, you can also run two or more CAs (we do that), so you can deprecate a full CA if the need arises.


The CA is not a single point of failure in the traditional sense where a single machine going down has a large impact.


How does ansible solve this?


Playbooks to update all keys on all machines. Run one script and they are all updated.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: