[openstack-dev] [barbican] Deprecating Certificate Issuance

Douglas Mendizábal douglas.mendizabal at rackspace.com
Thu Sep 15 17:58:03 UTC 2016


Hello Openstack-dev,

The Barbican team will be deprecating the Ceritficate Issuance feature
in Barbican for the Newton release.  This is something that the
community has been discussing since before the Tokyo summit, and we feel
now is the right time to begin the deprecation process.  I'll try to
answer some common questions about this decision below:

* Why are we deprecating Certificate Issuance?

There are a few reasons that were considered for this decision.  First,
there does not seem to be a lot of interest in the community to fully
develop the Certificate Authority integration with Barbican.  We have a
few outstanding blueprints that are needed to make Certificate Issuance
fully functional, but so far no one has committed to getting the work
done.  Additionally, we've had very little buy-in from public
Certificate Authorities.  Both Symantec and Digicert were interested in
integration in the past, but that interest didn't materialize into
robust CA plugins like we hoped it would.

Secondly, there have been new developments in the space of Certificate
Authorities since we started Barbican.  The most significant of these
was the launch of the Let's Encrypt public CA along with the definition
of the ACME protocol for certificate issuance.  We believe that future
certificate authority services would do good to implement the ACME
standard, which is quite different than the API the Barbican team had
developed.

Lastly, deprecating Certificate Issuance within Barbican will simplify
both the architecture and deployment of Barbican.  This will allow us to
focus on the features that Barbican does well: the secure storage of
secret material.

* Will Barbican still be able to store Certificates?

Yes, absolutely!  The only thing we're deprecating is the the plugin
interface that talks to Certificate Authorites and associated APIs.
While you will not be able to use Barbican to issue a new certificate,
you will always be able to securely store any certificates in Barbican,
including those issued by public CAs or internal CAs.

* When will the APIs be removed?

The Barbican team will follow the standard deprecation policy for this
feature.  All APIs will still ship as part of the Newton release, and
we'll begin the deprecation work in the Ocata cycle.

Feel free to ask any other questions you may have.

Thanks,
Douglas Mendizábal
Barbican PTL

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160915/d441b276/attachment.pgp>


More information about the OpenStack-dev mailing list