[openstack-dev] [keystone][nova] New blueprint related to message security
Jarret Raim
jarret.raim at RACKSPACE.COM
Wed May 8 15:55:02 UTC 2013
On 5/7/13 3:31 PM, "Simo Sorce" <simo at redhat.com> wrote:
>New blueprint:
>https://blueprints.launchpad.net/keystone/+spec/key-distribution-server
>
>This is the server part needed to implement Message Security for Havana.
I agree that Keystone should own the assignment of keys to accounts for
use in authentication and the /kds endpoint seems fine to me, but I would
suggest that instead of keystone returning the keying material directly,
it just return a URI to the barbican API.
When we talked about key management at the design summit, it seemed like
Keystone didn't want to take on a lot of the secure storage (common
criteria, fips) stuff or the logging & auditing requirements for a key
management solution. If Keystone uses Barbican as its backend store for
keys (while still owning the lifecycle of those keys and the mapping of
those to services) that seems to make the most sense?
Thoughts?
Jarret
More information about the OpenStack-dev
mailing list