[openstack-dev] [nova][keystone] Message Queue Security
davanum at gmail.com
Thu Apr 25 13:20:56 UTC 2013
Nice! feedback after a quick browse and compare with xml-dsig
1. Can we please allow additional algorithms? (see DigestMethod in
). HMAC-SHA-256 can definitely be the default
2. Do we need some terminator between MetaData and Message during -
"Signature = HMAC(SignKey, (Version || MetaData || Message))"?
3. Assuming that _SIGNATURE_KEY maps to DigestValue in  right?
4. I am assuming the counter is to prevent replay attacks. can we
please use a nonce instead?
5. Can we please use ISO 8601 timestamps instead of unixtime?
I'll take a deeper look at the encryption later when i get a chance.
On Thu, Apr 25, 2013 at 8:37 AM, Simo Sorce <simo at redhat.com> wrote:
> Hello list,
> at the Summit we had a very interesting and productive discussion about
> Message Signing/Encryption for RPC Messages sent via the Message Queue.
> I would like to present a proposal that uses symmetric keys and a
> central key server to address the problem:
> I would really like to get feedback on the proposal, especially if there
> are corner cases I have not considered.
> Simo Sorce * Red Hat, Inc * New York
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
Davanum Srinivas :: http://davanum.wordpress.com
More information about the OpenStack-dev