[openstack-dev] [Keystone] V3 auth API design input
d.w.chadwick at kent.ac.uk
Thu Jan 24 09:06:33 UTC 2013
On 24/01/2013 00:50, Adam Young wrote:
>> By the way, introducing holder of key into tokens solves the bearer
>> problem and does not require SSL/TLS. What it requires is simply that
>> the client signs the message containing the token with the key and
>> includes a nonce/timestamp in the signed message so that the recipient
>> can validate that the user is the holder of the token and the token
>> has not been replayed.
> Are you saying that the whole web requests would then be signed? Yes,
> that would work, and would be very effecient, but it would require
> extending all of the HTML aware parts to allow for signatures. I think
> that would be a very valuable extension.
The body of the POST needs to be signed. This does not stop a MITM, but
then neither does SSL if you have a forged cert in the name of the sender.
More information about the OpenStack-dev