[openstack-dev] [Security] Introducing Killick PKI
ayoung at redhat.com
Mon Oct 12 01:24:29 UTC 2015
On 10/11/2015 06:50 PM, Robert Collins wrote:
> On 9 October 2015 at 06:47, Adam Young <ayoung at redhat.com> wrote:
>> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
>>> Hi All,
>>> At a previous OpenStack Security Project IRC meeting, we briefly discussed
>>> a lightweight traditional PKI using the Anchor validation functionality, for
>>> use in internal deployments, as an alternative to things like MS ADCS. To
>>> take this further, I have drafted a spec, which is in the security-specs
>>> repo, and would appreciate feedback:
>> How is this better than Dogtag/FreeIPA?
> DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
> specifically calls out the desire to have a low-admin-overhead
> solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
> environment? I see that the dogtag-pki packages in Debian are up to
> date - perhaps more discussion w/ops is needed?
Tomcat is trivial to deploy; it is in all the major distributions
already. Dogtag is slightly more complex because it does things right
WRT security hardening the Tomcat instance. But the process is
automated as part of the Dogtag code base.
A better bet is using Dogtag as installed with FreeIPA. It is supported
in both Debian based and RPM based distributions. The dev team is
primarily Red Hat, with an Ubuntu packager dealing with the headaches of
getting it installed there. There is someone working on SuSE already as
well. FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.
We have a demo of Using Kerberos to authenticate and encrypt the
messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all
of the Web services. I'll be one of the people demoing it at the Red
Hat booth at Tokyo if you want to see it and ask questions directly.
For Self Signed certificates, we can use certmonger and the self-signed
backend; we should be using Certmonger as the cert management client no
matter what. There was a Certmonger- Barbican plugin underway, but I do
not know the status of it.
Let's not reinvent this; the security and cryptography focused people on
OpenStack are already spread thin. Lets focus on reusing pre-existing
More information about the OpenStack-dev