<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1126461189;
mso-list-type:hybrid;
mso-list-template-ids:-1091145880 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1566604387;
mso-list-type:hybrid;
mso-list-template-ids:930882122 1285866952 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-start-at:6;
mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:27.6pt;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.6pt;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:99.6pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:135.6pt;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:171.6pt;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:207.6pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:243.6pt;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:279.6pt;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:315.6pt;
text-indent:-9.0pt;}
@list l2
{mso-list-id:2044943354;
mso-list-type:hybrid;
mso-list-template-ids:-1091145880 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText">Greetings Simo, Jay, Bryan, Jarret, Dolph, Phil, Nachi, Jamie, Thierry, Arvind and others!<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l2 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>The key manager, barbican, under development supports the blueprint we developed and discussed on this mailing list.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><a href="https://wiki.openstack.org/wiki/KeyManager#Key_Manager">https://wiki.openstack.org/wiki/KeyManager#Key_Manager</a><o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l2 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Its full featured version is to hold all things “key” related, including public keys and certificates, their renewal and supporting necessary KMIP interfaces.
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l2 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Only authenticated users/services can access the keys in barbican, barbican itself uses keystone for authentication and authorization like other OpenStack services.
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l2 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">4)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>First use case to support is <b>volume encryption</b> (John Hopkins Applied Physics Lab team)
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><a href="https://review.openstack.org/30976">https://review.openstack.org/30976</a><o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l2 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">5)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Rackspace (Jarret and his team) and Intel have been working hard to meet Havana release milestones.
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText">At the Portland summit we did discuss whether to keep the key management functionality as a separate entity or as a part of keystone.<o:p></o:p></p>
<p class="MsoPlainText">Participants included Adam Young, Dolph, and several other keystone cores and the Rackspace and Intel folks.<o:p></o:p></p>
<p class="MsoPlainText"> 1) pro - if part of keystone, less of an incubation hurdle.<o:p></o:p></p>
<p class="MsoPlainText"> 2) cons - keystone is already feature rich and this is a separate piece of functionality. Should we want to later pull it out and float as a separate service a lot of work. (The need for a key manager has been felt as more of us
seek to provide greater security for user data at rest (volumes, objects) )<o:p></o:p></p>
<p class="MsoPlainText"> 3) Key manager would be a pluggable module for folks who might want an HSM.
<o:p></o:p></p>
<p class="MsoPlainText"> 4) We did mention at the summit that storing nova ssl keys to access instances could be shifted to the key manager given a broader scope as a <o:p></o:p></p>
<p class="MsoPlainText"> repository of all things used to encrypt/decrypt data.<o:p></o:p></p>
<p class="MsoPlainText"> 5) Saving the users’, OpenStack service endpoints’, and instance pubic keys and/or certificate
<b>intersects </b>with Keystone's identity credential storage.<o:p></o:p></p>
<p class="MsoPlainText"> <b>All things identity related are the prerogative of keystone.
<o:p></o:p></b></p>
<p class="MsoPlainText"> This is where Jarret’s comment fits in about a pointer to the certificate or public key could be saved in keystone with the public key, certificate, even private key inside key manager. To meet compliance needs more audit logging
will be present in the key manager. Certainly, wherever keys are stored more audit logging is feasible. This is just a logical divide of whether to build in the functionality.<o:p></o:p></p>
<p class="MsoPlainText"> 6) Today keystone provides a catalog of service endpoints (including the key manager), it is logical to extend this to include access to their certificates. This would then serve as central point to determine how to securely communicate
with the endpoint – assuming neither keystone nor barbican are compromised. <o:p>
</o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Simo Sorce [mailto:simo@redhat.com] <br>
Sent: Tuesday, July 02, 2013 10:43 AM<br>
To: OpenStack Development Mailing List<br>
Subject: Re: [openstack-dev] Move keypair management out of Nova and into Keystone?</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On Tue, 2013-07-02 at 16:55 +0000, Tiwari, Arvind wrote:<o:p></o:p></p>
<p class="MsoPlainText">> Hi Simo,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> I am lost.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Does Barbican is product came out of <a href="https://wiki.openstack.org/wiki/KeyManager">
<span style="color:windowtext;text-decoration:none">https://wiki.openstack.org/wiki/KeyManager</span></a> BP?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Yes Barbican is an implementation of this Blueprint afaik.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> If yes, then why it is deviating from the BP which says Key Manager will be separate service but not a part of Keystone.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Sorry I don't follow, Barbican is separated from Keystone.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> If no, then why we are thinking about new Key manager (which seems to me a subset of above BP)?
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">New ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Simo.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-- <o:p></o:p></p>
<p class="MsoPlainText">Simo Sorce * Red Hat, Inc * New York<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">OpenStack-dev mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:OpenStack-dev@lists.openstack.org"><span style="color:windowtext;text-decoration:none">OpenStack-dev@lists.openstack.org</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><span style="color:windowtext;text-decoration:none">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a><o:p></o:p></p>
</div>
</body>
</html>