[openstack-dev] Move keypair management out of Nova and into Keystone?
Bryan D. Payne
bdpayne at acm.org
Tue Jul 2 15:12:02 UTC 2013
> > I don't understand. Users already have custody of their own keys. The
> > only thing that Keystone/Nova has is the public key fingerprint , not
> > the private key...
> You acatually have the public key, not just the fingerprint, but indeed
> I do not see why abrbican should be involved here. apublic key does not
> need the same level of protection of a private key or a symmetric
> encryption key, so by storing this data in barbican we would only
> needlessly expose barbican to more access patternsand more
> logging/auditing volume than is needed.
I believe you're confusing a couple of points here. In this case, for
public keys, what matters is integrity. For the other cases that you
mentioned, both integrity and confidentiality matter. I believe that given
the high integrity requirements that it *does* make sense to store these in
a more protected location.
+1 for using Barbican
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev