[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Douglas Mendizábal douglas.mendizabal at rackspace.com
Wed Jan 18 18:33:15 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm very much interested in an out-of-the-box software-only backend
driver for Barbican.

I think that one of the reasons people have been hesitant to deploy
Barbican is that we claim that our Simple Crypto software-only driver
is "not secure in any way", when really we should be saying that it
provides minimal security which may or may not be acceptable to your
business.

I believe we could provide a level of security comparable to
software-only Vault with considerably less effort than it would take
to create a driver that can utilize Vault.

We could, for example, add a new API call to provide the encryption
key at runtime instead of requiring it to be present in the conf file.

- - Douglas

On 1/16/17 12:43 PM, Rob C wrote:
> 
> The last I checked, Rob, they also support DogTag IPA which is
> purely a Software based HSM. Hopefully the Barbican team can
> confirm this. -- Ian Cordasco
> 
> 
> Yup, that's my understanding too. However, that requires Barbican
> _and_ Dogtag, an even bigger overhead. Especially as at least
> historically Dogtag has been difficult to maintain. If you have a
> deployment already, there's a great synergy there. If you don't
> then it introduces a lot of overhead.
> 
> I'm interested to know if an out of the box, stand alone
> software-only version of Barbican would be any more appealing
> 
> Cheers -Rob
> 
> 
> ______________________________________________________________________
____
>
> 
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYf7TrAAoJEB7Z2EQgmLX7En8P/3Nw+AcPTt5m7oQagy7I7r84
Bmk2AzsHN/GvkeqlRTTu3ilHWswspfwf1AcPACAC6aOnOZ3Y9JX9oF8W9sJlYDBl
edniOBOrLZnRAQrZgLmoU7ifIRf1HkaUiy0nkRQ8t21CbyRzDIzPZ9qC92DVZXxr
Ho/9tJXWUmFXPLUvcOAa0H4jOISvtDCono6HM47JtdARzvWoxDrYY47tFqoY0x4G
ocDkYxqu+IUCoM4HzdiqszJT0PwSgp8yaXtWaZadS2k8yEiQwpnTZEDhHNvGKc+X
Ty2dpR5LzQ1WVcEE4FKW47fNBNsQf7IFwSYXt7k8CUpjK8e+rJ//9ndpozdZGrSn
w/HPO84vVC0a2cN582MzVC9zAuUjsJ4fbh9CxWvT83X84lbor9RTk6XnV3IvzNDd
ytVouSfchVrPwBFt4qgo9W30zUUjcUq2NFhOMDwW9ns2E2cd8PuT9GCRvkzLh1xE
RF/OePXjE0DU3pmjL6lRN0S2/69ndAhKvERKB7kcKxNBvfXQg6CCB3hqf7TBUg0w
Do2WSrUx65PHuYdOquwGCAlMscsX0lnkh1yF19KaohxPp+Pjg2dL905lJx/gt6no
emDbTiJFYhcYJKpmAkVToz6GnUcwL6jLHciP8KmXjjcMnG6dCYjErOfIg1ixGmeT
+mKOupRI6l2G9VlM9Cj1
=sGDy
-----END PGP SIGNATURE-----

More information about the OpenStack-dev mailing list