openstack team mailing list archive

Thread
Date

Re: Keystone: 'PKI Signed Tokens' lack support for revocation

To: Maru Newby <mnewby@xxxxxxxxxxxx>, "<openstack@xxxxxxxxxxxxxxxxxxx> (openstack@xxxxxxxxxxxxxxxxxxx)" <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Rouault, Jason (Cloud Services)" <jason.rouault@xxxxxx>
Date: Thu, 2 Aug 2012 14:41:54 +0000
Accept-language: en-US
In-reply-to: <71BD4F07-1B97-46E4-BF67-08BB8B765A5B@internap.com>
Thread-index: AQHNcE8rbVujxxZNBE+lTiHFomROMJdGmHfg
Thread-topic: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

This was a concern for HP as well.  This is one of the reasons we were happy
to see that signed tokens are currently a deployment option.  So, you can
continue to use the unsigned model until such a time that revocation can be
put into place for the token signing model.

 

Jason

 

From: openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx
[mailto:openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: <openstack@xxxxxxxxxxxxxxxxxxx> (openstack@xxxxxxxxxxxxxxxxxxx)
Subject: [Openstack] Keystone: 'PKI Signed Tokens' lack support for
revocation

 

I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation.  I tried to raise this issue on the bug
report:

 

https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

 

And the review:

 

https://review.openstack.org/#/c/7754/

 

I'm curious as to whether anybody shares my concern and if there is a
specific reason why nobody responded to my question as to why revocation is
not required for this new token scheme.   Anybody?

 

Thanks,

 

 

Maru

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References

Keystone: 'PKI Signed Tokens' lack support for revocation
From: Maru Newby, 2012-08-02