[openstack-dev] Move keypair management out of Nova and into Keystone?
Jay Pipes
jaypipes at gmail.com
Tue Jul 2 15:22:34 UTC 2013
On 07/02/2013 11:12 AM, Bryan D. Payne wrote:
>
> > I don't understand. Users already have custody of their own keys. The
> > only thing that Keystone/Nova has is the public key fingerprint
> [1], not
> > the private key...
>
> You acatually have the public key, not just the fingerprint, but indeed
> I do not see why abrbican should be involved here. apublic key does not
> need the same level of protection of a private key or a symmetric
> encryption key, so by storing this data in barbican we would only
> needlessly expose barbican to more access patternsand more
> logging/auditing volume than is needed.
>
>
> I believe you're confusing a couple of points here. In this case, for
> public keys, what matters is integrity. For the other cases that you
> mentioned, both integrity and confidentiality matter. I believe that
> given the high integrity requirements that it *does* make sense to store
> these in a more protected location.
>
> +1 for using Barbican
>
> -bryan
Simo just got finished saying Barbican was *not* the correct place to
put this information...
-jay
More information about the OpenStack-dev
mailing list