openstack team mailing list archive

Thread
Date

Re: State of OpenStack Auth

To: Soren Hansen <soren@xxxxxxxxxx>
From: Eric Day <eday@xxxxxxxxxxxx>
Date: Tue, 1 Mar 2011 12:48:50 -0800
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AANLkTikyKHOBnF=-giMv3vb2f3bTHTV8F3zG0YQQmfSy@mail.gmail.com>
User-agent: Mutt/1.5.20 (2009-06-14)

On Tue, Mar 01, 2011 at 09:47:00PM +0100, Soren Hansen wrote:
> 2011/3/1 Eric Day <eday@xxxxxxxxxxxx>:
> > Signature based auth such as EC2 should also always require
> > a secure channel too, but if not attacks are less severe since they
> > are limited to reply attacks only (the request and parameters are used
> > as part of the signature).
> 
> Just a note: The request also includes a timestamp and an expiration
> field, so replay attacks are only possible within a certain
> (user-defined) timeframe.

Thanks, good to know. So slightly more secure when not over SSL. :)

-Eric

References

State of OpenStack Auth
From: Eric Day, 2011-03-01
Re: State of OpenStack Auth
From: Soren Hansen, 2011-03-01