Re: TLS for everything
Done – Issue 906.
I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec.
It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!
-- Jon Price
From: cf-dev@... <cf-dev@...> On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM
Subject: Re: [cf-dev] TLS for everything
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
+1 on desiring everything to be encrypted on the network.
We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.