Open Stack

Zang mentioned that part of the issue is that the private key has to be
stored in the OpenVPN config file. If the config files are generated and
can be stored, then storing the whole config file in Barbican protects the
private key (and any other settings) without having to try to deliver the
key to the OpenVPN endpoint in some non-standard way.


Jarret

On 4/30/14, 6:08 PM, "Nachi Ueno" <nachi at ntti3.com> wrote:

>> Jarret
>
>Thanks!
>Currently, the config will be generated on demand by the agent.
>What's merit storing entire config in the Barbican?
>
>> Kyle
>Thanks!
>
>2014-04-30 7:05 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <nachi at ntti3.com> wrote:
>>> Hi Clint
>>>
>>> Thank you for your suggestion. Your point get taken :)
>>>
>>>> Kyle
>>> This is also a same discussion for LBaaS
>>> Can we discuss this in advanced service meeting?
>>>
>> Yes! I think we should definitely discuss this in the advanced
>> services meeting today. I've added it to the agenda [1].
>>
>> Thanks,
>> Kyle
>>
>> [1] 
>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_for_next
>>_meeting
>>
>>>> Zang
>>> Could you join the discussion?
>>>
>>>
>>>
>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <clint at fewbar.com>:
>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700:
>>>>> Hi Kyle
>>>>>
>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno <nachi at ntti3.com>
>>>>>wrote:
>>>>> >> Hi Zang
>>>>> >>
>>>>> >> Thank you for your contribution on this!
>>>>> >> The private key management is what I want to discuss in the
>>>>>summit.
>>>>> >>
>>>>> > Has the idea of using Barbican been discussed before? There are
>>>>>many
>>>>> > reasons why using Barbican for this may be better than developing
>>>>>key
>>>>> > management ourselves.
>>>>>
>>>>> No, however I'm +1 for using Barbican. Let's discuss this in
>>>>> certificate management topic in advanced service session.
>>>>>
>>>>
>>>> Just a suggestion: Don't defer that until the summit. Sounds like
>>>>you've
>>>> already got some consensus, so you don't need the summit just to
>>>>rubber
>>>> stamp it. I suggest discussing as much as you can right now on the
>>>>mailing
>>>> list, and using the time at the summit to resolve any complicated
>>>>issues
>>>> including any "a or b" things that need crowd-sourced idea making. You
>>>> can also use the summit time to communicate your requirements to the
>>>> Barbican developers.
>>>>
>>>> Point is: just because you'll have face time, doesn't mean you should
>>>> use it for what can be done via the mailing list.
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5551 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140501/33228cef/attachment.bin>