summaryrefslogtreecommitdiff
path: root/Architecture_and_Design/pot/Enforcing_Entitlements.pot
blob: 9218baaecfb0d8cc59cdc92a2078e2619a2f3c17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# 
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2012-11-20T12:52:22\n"
"PO-Revision-Date: 2012-11-20T12:52:22\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Tag: title
#, no-c-format
msgid "Enforcing Entitlements"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Kolab Groupware is distributed in two different product streams. The community edition is the edition that is supported by the community only, and the enterprise edition, that prior to release has been subject to the necessary Quality Assurance, and is supported by Kolab Systems, for a longer term more appropriate for most businesses, to an extent dependent on the type of Service Level Agreement purchased."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Both product streams however are Free Software entirely. The enterprise edition however has restrictions, and is supported only for such and so many users, systems, domains, mailboxes, groups, and other groupware functionality, again depending on the type of Service Level Agreement that has been purchased."
msgstr ""

#. Tag: para
#, no-c-format
msgid "This chapter explains how Kolab Systems enforces entitlements using the enterprise version of its software."
msgstr ""

#. Tag: para
#, no-c-format
msgid "It is commonly understood that for Free Software to be released in a fashion that allows the enforcing of entitlements, a version must be released that either;"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Itself contains information that allows the program to verify entitlements given a license file. Such program would need to be binary compiled, randomized, and contain a key to unlock the lock on the license file. More importantly, however, the program would need to be proprietary (the <emphasis>Zarafa</emphasis> mechanism)."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Phone home, to verify its current status is within the boundaries configured for it, against a piece of infrastructure controlled by the vendor (the <emphasis>Red Hat Network</emphasis> mechanism)."
msgstr ""

#. Tag: para
#, no-c-format
msgid "At Kolab Systems, we don't like either of these options. We have come up with a solution that allows the software to remain Free Software, without requiring systems that have Kolab installed to need to phone home."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Software Repositories Behind Lock and Key"
msgstr ""

#. Tag: para
#, no-c-format
msgid "First, we create software repositories in a location that requires the consumer to have been issued a key to the lock. We do this through an SSL certificate infrastructure, for which each consumer that we provide access to the repositories is issued with an SSL Client Certificate."
msgstr ""

#. Tag: para
#, no-c-format
msgid "This guarantees us anyone with access to the software repositories (for installation, but for updates as well) is a known customer, and has been issued a certificate with an expiry date, that we can revoke."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Entitlements Files"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Example entitlements could be, the number of users or groups supported within a Kolab Groupware environment. The information for all of a customer's support entitlement purchases is contained within an entitlements file, which can be supplemented with more entitlements files so that the entitlements can be added up and thus easily extended."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Issuing Entitlement Files"
msgstr ""

#. Tag: para
#, no-c-format
msgid "Knowing each of the customer systems contains a Certificate Authority file, and an SSL Client Certificate, as otherwise the system would not have access to the software repositories for important updates, we can use these existing components to sign and encrypt an entitlement file specific to the customer."
msgstr ""

#. Tag: para
#, no-c-format
msgid "First, we sign the entitlement file using a Certificate Authority certificate, the same one used to issue and sign the SSL Client Certificate."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Second, we encrypt the entitlement file using the SSL Client certificate we have issued to the customer."
msgstr ""

#. Tag: para
#, no-c-format
msgid "This guarantees that the only those can read the contents of the entitlements file, that have obtained the SSL Client Certificate, for which we can verify the signature on the entitlements file."
msgstr ""

#. Tag: title
#, no-c-format
msgid "Implementing Enforcement"
msgstr ""

#. Tag: para
#, no-c-format
msgid "The entire infrastructure can be replicated, by anyone, if all the information the system would have is a Certificate Authority, an SSL Client Certificate, and a signed and encrypted entitlements file. It may be relatively hard to reverse engineer the exact contents of the entitlements file, and update the binary compiled code to accept a new set of certificates, but it is certainly possible to achieve."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Therefor, the components that can enforce the entitlements (for example, the Kolab Daemon) can contain information about the certificates used in the SSL infrastructure. Not to function as a key to a lock, however, but to verify the other information available checks out against what it expects."
msgstr ""

#. Tag: para
#, no-c-format
msgid "It is safe for software to contain such information, as it is not leaking any information that is not already known to the outside world. However the trick is to not allow this information to be altered or tampered with. More to the point, the trick is to not allow this information to be altered or tampered with in a way that can not be detected."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Our enterprise edition therefor ships a binary compiled version of the software that contains this information, so that checksums can be verified upon every support request, and to make it harder to both alter the codebase as well as maintain a patch-set."
msgstr ""

#. Tag: para
#, no-c-format
msgid "Of course, it is relatively easy to write down any checksums for files right after installation, and run one's own version. However, running one's own version is still detectable through backtraces, and stack traces. If these are reproduced using an original version of the code, then the support issue is legitimate even if the day-to-day code running the environment is not the same."
msgstr ""