yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1758007] [NEW] "Key pair" should be "public key" in several places

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Olaf Seibert <1758007@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Mar 2018 10:00:37 -0000
Reply-to: Bug 1758007 <1758007@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Under the page https://..../horizon/project/access_and_security/ (you
get there via Project -> Compute -> Access & Security), there are
several mentions of "Key Pair": "Key Pair Name", "Import Key Pair",
"Delete Key Pair", "Delete Key Pairs".

Fortunately, none of these actions are really about secret keys. They
are all about public keys, so all of these mentions are wrong and should
be "Public Key".

The one exception is "Create Key Pair". That option does generate a
public and a private key. However, that is inherently insecure. Private
keys must never leave the end-user's computer. They must certainly never
be generated remotely. (See the recent issue about the SSL private keys
which were archived by a certificate reseller, for instance at
https://arstechnica.com/information-technology/2018/03/23000-https-
certificates-axed-after-ceo-e-mails-private-keys/ ). Therefore this
button and related functionality must be removed.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1758007

Title:
  "Key pair" should be "public key" in several places

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Under the page https://..../horizon/project/access_and_security/ (you
  get there via Project -> Compute -> Access & Security), there are
  several mentions of "Key Pair": "Key Pair Name", "Import Key Pair",
  "Delete Key Pair", "Delete Key Pairs".

  Fortunately, none of these actions are really about secret keys. They
  are all about public keys, so all of these mentions are wrong and
  should be "Public Key".

  The one exception is "Create Key Pair". That option does generate a
  public and a private key. However, that is inherently insecure.
  Private keys must never leave the end-user's computer. They must
  certainly never be generated remotely. (See the recent issue about the
  SSL private keys which were archived by a certificate reseller, for
  instance at https://arstechnica.com/information-
  technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-
  private-keys/ ). Therefore this button and related functionality must
  be removed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1758007/+subscriptions

Follow ups

[Bug 1758007] Re: "Key pair" should be "public key" in several places
From: Launchpad Bug Tracker, 2018-07-01