openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15645
Re: Keystone: 'PKI Signed Tokens' lack support for revocation
Hi Adam,
The blueprint as revised to address Joe's comments looks good to me - nice work. I especially like how the middleware is intended to cache the revocation list for a configurable amount of time - it mirrors how token caching already works.
Cheers,
Maru
On 2012-08-07, at 10:09 AM, Adam Young wrote:
> On 08/01/2012 09:19 PM, Maru Newby wrote:
>>
>> I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report:
>>
>> https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
>>
>> And the review:
>>
>> https://review.openstack.org/#/c/7754/
>>
>> I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody?
>
> I have written up a blueprint for PKI token revocation. Please provide feedback.
>
>
> https://blueprints.launchpad.net/keystone/+spec/pki-revoke
>
>>
>> Thanks,
>>
>>
>> Maru
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
References