[openstack-dev] [Security] Introducing Killick PKI

Clark, Robert Graham robert.clark at hpe.com
Mon Oct 12 08:18:45 UTC 2015

> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: 12 October 2015 02:24
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] [Security] Introducing Killick PKI
> On 10/11/2015 06:50 PM, Robert Collins wrote:
> > On 9 October 2015 at 06:47, Adam Young <ayoung at redhat.com> wrote:
> >> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
> >>> Hi All,
> >>>
> >>> At a previous OpenStack Security Project IRC meeting, we briefly discussed
> >>> a lightweight traditional PKI using the Anchor validation functionality, for
> >>> use in internal deployments, as an alternative to things like MS ADCS. To
> >>> take this further, I have drafted a spec, which is in the security-specs
> >>> repo, and would appreciate feedback:
> >>>
> >>> https://review.openstack.org/#/c/231955/
> >>>
> >>> Regards
> >>>
> >>> Doug
> >> How is this better than Dogtag/FreeIPA?
> > DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
> > specifically calls out the desire to have a low-admin-overhead
> > solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
> > environment? I see that the dogtag-pki packages in Debian are up to
> > date - perhaps more discussion w/ops is needed?
> Tomcat is trivial to deploy; it is in all the major distributions
> already. Dogtag is slightly more complex because it does things right
> WRT security hardening the Tomcat instance.  But the process is
> automated as part of the Dogtag code base.
> A better bet is using Dogtag as installed with FreeIPA. It is supported
> in both Debian based and RPM based distributions.  The dev team is
> primarily Red Hat, with an Ubuntu packager dealing with the headaches of
> getting it installed there.  There is someone working on SuSE already as
> well.  FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.
> We have a demo of Using Kerberos to authenticate and encrypt the
> messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all
> of the Web services.  I'll be one of the people demoing it at the Red
> Hat booth at Tokyo if you want to see it and ask questions directly.
> For Self Signed certificates, we can use certmonger and the self-signed
> backend; we should be using Certmonger as the cert management client no
> matter what.  There was a Certmonger- Barbican plugin underway, but I do
> not know the status of it.
> Let's not reinvent this; the security and cryptography focused people on
> OpenStack are already spread thin. Lets focus on reusing pre-existing
> solutions.

There's very little out there in terms of easy to use, deploy and scale PKI systems. ADCS is very tightly coupled to Windows, EJBCA is clunky, pyCA isn't supported anymore afaik and my personal experience with Dogtag (YMMV of course) is that it was difficult to setup and maintain. Now that was some time ago, when the available documentation didn't match with the shipping version and Ubuntu support wasn't a thing so I'm sure it's moved on now and it's possibly great - but - that's no reason to not have a crack at making something better. (For some personal interpretation of "better").

Reinvention can be good, after all, if it wasn't OpenStack probably wouldn't be a thing.


More information about the OpenStack-dev mailing list