openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11799
Re: [Keystone] PKI
Hi Adam,
Can you please clarify the following in PKI blueprint?
1) Do you assume that roles won't be changed after getToken and before
validateToken?
<!--
if the token contains just the following data :
- {username: admiyo,tenant: Fedora,expires: 2359:05May2012, roles:
[admin,editor]}
This message is then encrypted with Keystones private key. Any service that
has Keystones public key can decrypt the message. Since it is decrypted
with the public key, it had to be encrypted by Keystone, and is therefore
valid. The Keystone Certificate only has to be distributed once to each
service, and can be fetched on demand.
-->
What is keystone private key? Do you mean user private key?
<!--When a user is created in Keystone, they will be given a
one-time-password that they will then use to establish a key-pair. Only the
Public Key will be stored on the Keystone server, the Private key will only
be stored on the end users system. The public key will be signed by the
certificate authority (X509) and then stored in the Keystone system. From
this point on, when authenticating to Keystone, the user will use the
client certificate.
-->
1) Why do we need to store users client cert in keystone system? BTW what
do you mean by keystone system? Is it keystone server? or any system
like swift/nova which uses keystone to authenticate
Thanks
On Tue, May 15, 2012 at 6:09 PM, Adam Young <ayoung@xxxxxxxxxx> wrote:
> Well, the PKI pieces are the same regardless of the CA and certificate
> issuing pieces. All we will need to do is to use a signing key to sign a
> document. So EJBCA or Dogtag will work equally as well. If people already
> have a CA infrastructure, they should be able to leverage that, too.
>
>
>
> On 05/15/2012 04:47 PM, Thor Wolpert wrote:
>
> If you're open to levarging other OSS projects,
> http://www.ejbca.org/architecture.html us a great one to look at,
> assuming you need a PKI implementation available.
>
> I believe it is at least worth a look.
>
> On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua <
> razique.mahroua@xxxxxxxxx> wrote:
>
>> great topic :)
>>
>>
>> Joseph Heck <heckj@xxxxxxx>
>> 15 mai 2012 21:06
>> Coming out of the Keystone meeting from today (
>> http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
>> I thought it worth mentioning that adam young has been doing some
>> tremendous lifting in terms of looking at adding in PKI support to
>> Keystone. The writeup and details are on the OpenStack wiki at
>> http://wiki.openstack.org/PKI
>>
>> I rather suspect there's a lot of interest in this topic, so I wanted to
>> make sure the broader community knew about the effort, what we were
>> thinking, and were we are.
>>
>> If you're interested in discussing, the keystone meeting is on Tuesday
>> mornings at 18:00 UTC
>>
>> -joe
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>> --
>> Nuage & Co - Razique Mahroua
>> razique.mahroua@xxxxxxxxx
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
References
