yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1288693] Re: PKI token is possible to validate via GET call

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1288693@xxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Mar 2014 13:46:01 -0000
Reply-to: Bug 1288693 <1288693@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is by design to account for clients that are not PKI-aware. Until
we drop support for UUID tokens and the corresponding HTTP APIs for
validating tokens, this support should remain.

On the MD5 point specifically, see bug 1174499.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1288693

Title:
  PKI token is possible to validate via GET call

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  PKI token should be validated only using Cert and Revocation list.
  There is no need for any user to fetch/validate the PKI token by
  making a GET call. Currently, PKI token, similar to UUID token, can be
  validated/fetched by making a GET call

  v2.0/tokens/{tokenId}

  Here tokenId can be the whole PKI token or md5 hash of the token.

  This opens the possibility that a custom service can start using this
  approach for PKI token validation rather than PKI sign verification
  using cert.

  This could potentially open possible attack  by an malicious  service
  (insider attacker with service role) to fetch PKI token for user by
  guessing or exploiting the weakness of MD5 token_id

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1288693/+subscriptions

References

[Bug 1288693] [NEW] PKI token is possible to validate via GET call
From: Abu Shohel Ahmed, 2014-03-06