[openstack-dev] [openstack-ansible][security] Improving SSL/TLS in OpenStack-Ansible

Major Hayden major at mhtx.net
Fri Jan 15 14:18:39 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey folks,

I've attended some of the OpenStack Security Mid-Cycle meeting this week and Robert Clark was kind enough to give me a deep dive on the Anchor project[1].  We had a good discussion around my original email thread[2] on improving SSL/TLS certificates within OpenStack-Ansible (OSA) and we went over my proposed spec[3] on the topic.

Jean-Philippe Evrard helped me assemble an etherpad[4] this morning where we brainstormed some problem statements, user stories, and potential solutions for improving the certificate experience in OSA.  It seems like an ephemeral PKI solution, like Anchor, might provide a better certificate experience for users while also making the revocation and issuance process easier.

I'd really like to get some feedback from the OpenStack community on our current brainstorming efforts.  We've enumerated a few use cases and user stories already, but we've probably missed some other important ones.  Feel free to stop by #openstack-ansible or join us in the etherpad.

Thanks!

[1] https://wiki.openstack.org/wiki/Security/Projects/Anchor
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-October/077877.html
[3] https://review.openstack.org/#/c/243332/
[4] https://etherpad.openstack.org/p/openstack-ansible-tls-improvement

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWmP+9AAoJEHNwUeDBAR+xZpwP/Ana9JFTEGRvZSzKQHv/jQeY
KjUFTjXIBqijVysPpv4VIus8A8wiZNIUk2GMFy6IAA3XrBuAMXaRYmTvJZ6/gUq+
k57o3buH2pxlLiYJkK4DToPqzgYx2pjfUzO3IXPrmDS82JQrKp7xLvGgICe0lgtS
VCSjEDfXFRQuaKg5Uk99hzoZsuRVsiIpAAd97Q2h603FNzZk3bqleF1czrSQS/0i
vjLYQoCcUKYTy9dvqZ39dhh4ACtsaccKv0tF72v0rEn7y6eTJZ6ssAC1257Duzii
UffLA+t++BZ0SMeIhVGoI7kE+KoItEdzPMJ9V4i+/HZBbUQPmFik01vlfGsrAH9r
uygSnZyDJ2+jIx/eoLTM9QRjf4rqXjBbTlz9EpwQoo0nhJWV/EBrUNoFmRFTItr+
MkNwRty1HK4g28yqUI/iHiVu+GOU91M6EDlGqBO/lvMyy8886SPakZaNLfB4Mo2K
+LwvwIrRHBgQNC12FkG7nwOXnetRoaxYvw0hu5Zbm/yhQiIDe5LFu0REKNiJb6KG
kDSaCmKWNixHiOwCWYecRpkGqIJJfIasQ8DYaUm905WsxaDwisBG4lu3TEJSHKs/
SmoLmMFNaN9PhiaVlLSeuj+FwN4arTDBxAahASQoaMSDMCy/HURTaQSt7+FXn+wD
eEVF2pRXgeRQl31B5Dpe
=ukvd
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list