[openstack-dev] [Neutron][LBaaS]TLS API support for authentication

Carlos Garza carlos.garza at rackspace.com
Fri May 23 20:24:33 UTC 2014


    Right so are you advocating that the front end API never return a 
private key back to the user once regardless if the key was generated
on the back end or sent in to the API from the user? We kind of are
already are implying that they can refer to the key via a private 
key id.


On May 23, 2014, at 9:11 AM, John Dennis <jdennis at redhat.com>
 wrote:

> Using standard formats such as PEM and PKCS12 (most people don't use
> PKCS8 directly) is a good approach.

    We had to deal with PKCS8 manually in our CLB1.0 offering at rackspace. Too many customers complained.

> Be mindful that some cryptographic
> services do not provide *any* direct access to private keys (makes
> sense, right?). Private keys are shielded in some hardened container and
> the only way to refer to the private key is via some form of name
> association.

    Were anticipating referring the keys via a barbican key id which will be named later.


> Therefore your design should never depend on having access
> to a private key and

    But we need access enough to transport the key to the back end implementation though.

> should permit having the private key stored in some
> type of secure key storage.

   A secure repository for the private key is already a requirement that
we are attempting to meat with barbican.


> -- 
> John
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list