<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:839730962;
mso-list-type:hybrid;
mso-list-template-ids:1893779604 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1
{mso-list-id:1622880973;
mso-list-template-ids:951603078;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Thanks for your review and comments on the blueprint. A few comments / clarifications:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>There are about a half dozen key manager products on the market that support KMIP. They are offered in different form factors / price points: some are physical appliances (with and without embedded HSMs) and some are software implementations.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>Agreed that there isn’t an existing KMIP client in python. We are offering to port the needed functionality from our current java KMIP client to python and contribute it to openstack.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>Good points about the common features that barbican provides. I will take a look at the barbican architecture and join discussions there.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Bill<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jarret Raim [mailto:jarret.raim@RACKSPACE.COM] <br><b>Sent:</b> Friday, July 19, 2013 9:46 AM<br><b>To:</b> OpenStack Development Mailing List<br><b>Subject:</b> Re: [openstack-dev] KMIP client for volume encryption key management<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>I'm not sure that I agree with this direction. In our investigation, KMIP is a problematic protocol for several reasons:<o:p></o:p></span></p></div><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:10.5pt'>We haven't found an implementation of KMIP for Python. (Let us know if there is one!)<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:10.5pt'>Support for KMIP by HSM vendors is limited.<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:10.5pt'>We haven't found software implementations of KMIP suitable for use as an HSM replacement. (e.g. Most deployers wanting to use KMIP would have to spend a rather large amount of money to purchase HSMs)<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:10.5pt'>From our research, the KMIP spec and implementations seem to lack support for multi-tenancy. This makes managing keys for thousands of users difficult or impossible.<o:p></o:p></span></li></ul><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>The goal for the Barbican system is to provide key management for OpenStack. It uses the standard interaction mechanisms for OpenStack, namely ReST and JSON. We integrate with keystone and will provide common features like usage events, role-based access control, fine grained control, policy support, client libs, Celiometer support, Horizon support and other things expected of an OpenStack service. If every product is forced to implement KMIP, these features would most likely not be provided by whatever vendor is used for the Key Manager. Additionally, as mentioned in the blueprint, I have concerns that vendor specific data will be leaked into the rest of OpenStack for things like key identifiers, authentication and the like. <o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>I would propose that rather than each product implement KMIP support, we implement KMIP support into Barbican. This will allow the products to speak ReST / JSON using our client libraries just like any other OpenStack system and Barbican will take care of being a good OpenStack citizen. On the backend, Barbican will support the use of KMIP to talk to whatever device the provider wishes to deploy. We will also support other interaction mechanisms including PKCS through OpenSSH, a development implementation and a fully free and open source software implementation. This also allows some advanced uses cases including federation. Federation will allow customers of public clouds like Rackspace's to maintain custody of their keys while still being able to delegate their use to the Cloud for specific tasks.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>I've been asked about KMIP support at the Summit and by several of Rackspace's partners. I was planning on getting to it at some point, probably after Icehouse. This is mostly due to the fact that we didn't find a suitable KMIP implementation for Python so it looks like we'd have to write one. If there is interest from people to create that implementation, we'd be happy to help do the work to integrate it into Barbican.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>We just released our M2 milestone and we are on track for our 1.0 release for Havana. I would encourage anyone interested to check our what we are working on and come help us out. We use this list for most of our discussions and we hang out on #openstack-cloudkeep on free node. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'>Jarret<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='color:black'>From: </span></b><span style='color:black'><Becker>, Bill <<a href="mailto:Bill.Becker@safenet-inc.com">Bill.Becker@safenet-inc.com</a>><br><b>Reply-To: </b>OpenStack List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br><b>Date: </b>Thursday, July 18, 2013 2:11 PM<br><b>To: </b>OpenStack List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br><b>Subject: </b>[openstack-dev] KMIP client for volume encryption key management<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal><span style='color:black'>A blueprint and spec to add a client that implements OASIS KMIP standard was recently added:<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><a href="https://blueprints.launchpad.net/nova/+spec/kmip-client-for-volume-encryption">https://blueprints.launchpad.net/nova/+spec/kmip-client-for-volume-encryption</a><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><a href="https://wiki.openstack.org/wiki/KMIPclient">https://wiki.openstack.org/wiki/KMIPclient</a><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>We’re looking for feedback to the set of questions in the spec. Any additional input is also appreciated.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>Bill B.<o:p></o:p></span></p><pre><span style='color:black'>The information contained in this electronic mail transmission <o:p></o:p></span></pre><pre><span style='color:black'>may be privileged and confidential, and therefore, protected <o:p></o:p></span></pre><pre><span style='color:black'>from disclosure. If you have received this communication in <o:p></o:p></span></pre><pre><span style='color:black'>error, please notify us immediately by replying to this <o:p></o:p></span></pre><pre><span style='color:black'>message and deleting it from your computer without copying <o:p></o:p></span></pre><pre><span style='color:black'>or disclosing it.<o:p></o:p></span></pre><pre><span style='color:black'><o:p> </o:p></span></pre><pre><span style='color:black'><o:p> </o:p></span></pre></div></div></div></body></html>
<pre>The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.