← Back to team overview

openstack team mailing list archive

Re: Keystone: 'PKI Signed Tokens' lack support for revocation

 

Hi Adam,

The blueprint as revised to address Joe's comments looks good to me - nice work.  I especially like how the middleware is intended to cache the revocation list for a configurable amount of time - it mirrors how token caching already works.

Cheers,


Maru

On 2012-08-07, at 10:09 AM, Adam Young wrote:

> On 08/01/2012 09:19 PM, Maru Newby wrote:
>> 
>> I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation.  I tried to raise this issue on the bug report:
>> 
>> https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
>> 
>> And the review:
>> 
>> https://review.openstack.org/#/c/7754/
>> 
>> I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme.   Anybody?
> 
> I have written up a blueprint for PKI token revocation.  Please provide feedback.
> 
> 
> https://blueprints.launchpad.net/keystone/+spec/pki-revoke
> 
>> 
>> Thanks,
>> 
>> 
>> Maru
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
> 
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


References