[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Ian Cordasco sigmavirus24 at gmail.com
Mon Jan 16 18:50:42 UTC 2017


-----Original Message-----
From: Chris Friesen <chris.friesen at windriver.com>
Reply: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Date: January 16, 2017 at 11:26:41
To: openstack-dev at lists.openstack.org <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are
projects trying to avoid Barbican, still?

> On 01/16/2017 10:31 AM, Rob C wrote:
>
> > I think the main point has already been hit on, developers don't want to
> > require that Barbican be deployed in order for their service to be
> > used.
>
> I think that this is a perfectly reasonable stance for developers to take. As
> long as Barbican is an optional component, then making your service depend on it
> has a good chance of limiting your potential install base.
>
> Given that, it seems like the ideal model from a security perspective would be
> to use Barbican if it's available at runtime, otherwise use something else...but
> that has development and maintenance costs.

More seriously it requires developers who aren't familiar with
securely storing that kind of data re-implement exactly what Barbican
has done, potentially.

Being realistic, and not to discount anyone's willingness to try, but
I think the largest group of people qualified to build, review, and
maintain that kind of software would be the Barbican team.

I guess the question then becomes: How many operators would be willing
to deploy Barbican versus having to update each service as
vulnerabilities are found, disclosed, and fixed in their clouds. If
Barbican is as difficult to deploy as Rob is suggesting (that even
DogTag is difficult to deploy) maybe developers should be focusing on
fixing that instead of haphazardly reimplementing Barbican?

--
Ian Cordasco



More information about the OpenStack-dev mailing list