[openstack-dev] key manager proposal
Paul Sarin-Pollet
psarpol at gmx.com
Thu Mar 7 14:51:19 UTC 2013
Hello Malini,
Thanks for this nice and complete blueprint.
I've got the following points I'd like to discuss.
KeyManager_client :
To reduce the openstack modules modifications, the KeyManager_client could :
- read the master key in the TPM
- generate random keys
- interface the key manager
(KeyManager_client [put-key|get-key] <key-ID> for example)
TPM management :
I'm not very familiar with TPM but it seems to be associated with hardware. Is the TPM usage standardized and common for
every constructor ?
How long and difficult is it to configure TPM to add a master key ?
Key-id :
The key id is as important as the key it-self. It has to be unique in the entire system and must always be associated with
the object.
When the key scope is per user/project/domain, it's easy to manage.
When the key scope is per object/entity it's more difficult.
For the unicity, don't you think the key-id should be generated by the key manager ? The CREATE KMIP protocol's operation
returns the unique ID.
Regards
Paul
----- Original Message -----
From: Bhandaru, Malini K
Sent: 03/07/13 04:18 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] key manager proposal
Hello All!
When you get a chance we checkout https://wiki.openstack.org/wiki/KeyManager https://wiki.openstack.org/wiki/KeyManager
I hope I have captured ideas and addressed concerns we have discussed on this mailing list.
Regards
Malini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130307/60f9d8f8/attachment.html>
More information about the OpenStack-dev
mailing list