Open Stack

On Tue, 2013-04-30 at 08:27 -0400, Simo Sorce wrote:
> On Tue, 2013-04-30 at 12:03 +0100, Mark McLoughlin wrote:
> > Hi Simo,
> > 
> > On Thu, 2013-04-25 at 08:37 -0400, Simo Sorce wrote:
> > > Hello list,
> > > at the Summit we had a very interesting and productive discussion about
> > > Message Signing/Encryption for RPC Messages sent via the Message Queue.
> > > 
> > > I would like to present a proposal that uses symmetric keys and a
> > > central key server to address the problem:
> > > 
> > > https://wiki.openstack.org/wiki/MessageSecurity
> > > 
> > > I would really like to get feedback on the proposal, especially if there
> > > are corner cases I have not considered.
> > 
> > I admit I haven't spent much time considering all aspects of this, but
> > from a high level I like the idea and your diligence.
> > 
> > I'm working on a proposal for a redesign of the messaging API:
> > 
> >   https://wiki.openstack.org/wiki/Oslo/Messaging
> > 
> > I don't think this will affect your design in any way, and I don't think
> > your proposal changes the API design ... so that's all goodness.
> > 
> > One thing I've just realized we haven't taken into account is
> > notifications. There's probably a lot of value (to ceilometer at least,
> > I'd imagine) in using public-key encryption to sign those messages since
> > they are being broadcast to the world and there's no concept of the
> > sender knowing who the message is being sent to.
> > 
> > Maybe solving the notification signing issue is orthogonal to RPC
> > signing and encryption, but had you any thoughts on it?
> 
> I was under the impression that broadcasting to the world is a bad idea.

Ok, "broadcasting on a message bus that requires credentials to access".

An example would be a cloud operators fault analysis tool listening on
the bus for error events, applying some logic and alerting the right
people.

Cheers,
Mark.