Open Stack

> We propose changing from 'orders' to 'requests'...so to request that Barbican
> create a new secret (or start a process to generate a secret) clients would
> issue a 'request'. This seems more natural, and a bit less overused than 
> 'orders'. 

I think request sounds more overused than orders. I was not that thrilled with 
orders, but I do like it more than request. What about something like 
secretfactory, secretgenerator, or something else along those lines? I'm not
too picky either way with whatever you pick.

> The next step would be to provide the actual plain-text to encrypt/store in
> Barbican, via a follow up PUT call to the new secret, with the Accept header
> set to the mime-type above (say application/pem). This data would then be
> encrypted and stored by Barbican. To address Malini's concern about wrecking
> systems already using a key to encrypt their data, we may only allow one such 
> PUT request to happen per secret.

I would like to see the put operation be one step. Making it two operations 
seems a bit forced and introduces more overhead, IMHO. Now the key manager server
must wait for another web request for the actual key. What about time outs, or
if the second operation never happens. You are then in a weird state.

I would specify the type, and include the bytes for it. Then you can do it all
in one step. For instance, specify application/aes-256-cbc as mime type and 
then include the bytes for the key. The server then stores the bytes, and it 
can assume the bytes are in the format specified. Or do a check to make sure 
they are formatted correctly to make it more secure.

-Nate