[openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?

Adam Young ayoung at redhat.com
Wed Aug 21 16:35:14 UTC 2013

On 08/21/2013 11:44 AM, Jarret Raim wrote:
>> Dolph Mathews wrote:
>>> With regard
>>> to:
>>> https://blueprints.launchpad.net/keystone/+spec/key-distribution-server
>>> [...]
>> Dolph: you don't mention Barbican at all, does that mean that the issue
>> is settled and the KDS should live in keystone ?
> Dolph and I talked about having a design session to talk about how
> Barbican and Keystone will work together going forward. In this particular
> case, as I understand it, Simo is right. There isn't much need for
> Barbican to be involved in the PKI key signing (except maybe for key
> storage at some point, but that wouldn't' require a lot of changes if we
> did that).
KDS keys are not signed.  They are symmetric.

We are writing the KDS code sa a stand alone extension, such that if we 
change our mind about where it lives, we can migrate it without too much 
disruption.  However, I am pretty certain that it belongs in Keystone.  
THis is confirmation of identity for services, and it probably will 
interoperate with the service catalog over time. Keystone doesn't have a 
concept of a Service Principal the way that Kerberos does, but the KDS 
code really introduces that concept, and I think it will be important 
for more complex authorization rules in the future.

> Once the sessions are opened for Hong Kong, we'll put in for the design
> session.
> Jarret
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list