[openstack-dev] Move keypair management out of Nova and into Keystone?

Bryan D. Payne bdpayne at acm.org
Tue Jul 2 15:12:02 UTC 2013


>  > I don't understand. Users already have custody of their own keys. The
> > only thing that Keystone/Nova has is the public key fingerprint [1], not
> > the private key...
>
> You acatually have the public key, not just the fingerprint, but indeed
> I do not see why abrbican should be involved here.  apublic key does not
> need the same level of protection of a private key or a symmetric
> encryption key, so by storing this data in barbican we would only
> needlessly expose barbican to more access patternsand more
> logging/auditing volume than is needed.
>

I believe you're confusing a couple of points here.  In this case, for
public keys, what matters is integrity.  For the other cases that you
mentioned, both integrity and confidentiality matter.  I believe that given
the high integrity requirements that it *does* make sense to store these in
a more protected location.

+1 for using Barbican

-bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130702/eac844bb/attachment.html>


More information about the OpenStack-dev mailing list