yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1205153] Re: Unable to have multiple signing certs for PKI tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Tue, 02 Feb 2016 20:06:06 -0000
Reply-to: Bug 1205153 <1205153@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

PKI Tokens are Deprecated

** Changed in: keystone
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1205153

Title:
  Unable to have multiple signing certs for PKI tokens

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  Right now Keystone assumes a single signing certificate.  In order to
  support multiple, we need to be able to identify which certificate to
  use in order to verify the token.

  Although the CMS based  tokens have a Serial number embedded, to parse
  this information out would take an additional call to Popen  the
  openssl binary.

  Instead, we should put a certificate identifier into the token itself
  that van be parsed out via simple string parsing.  An example would be

  CMS:41123:MII...

  CMS is just to identify token format. 41123 is the identifier. MII is
  the signed token as currently produced.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1205153/+subscriptions