<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1536309678;
mso-list-type:hybrid;
mso-list-template-ids:409749940 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1725251419;
mso-list-type:hybrid;
mso-list-template-ids:-1712162846 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It’s just an extension, shouldn’t be treated differently as long as it follow the rules and regulations.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Bp<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Spec (identity-api)<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Server-side changes (keystone)<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Client-side changes if any (python-keystoneclient)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If OpenStack security community is participating in the code reviews, that would even be awesomer.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Guang<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Adam Young [mailto:ayoung@redhat.com] <br><b>Sent:</b> Wednesday, August 14, 2013 6:24 AM<br><b>To:</b> openstack-dev@lists.openstack.org<br><b>Subject:</b> Re: [openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 08/13/2013 06:20 PM, Dolph Mathews wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div id=magicdomid817><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>With regard to: <a href="https://blueprints.launchpad.net/keystone/+spec/key-distribution-server">https://blueprints.launchpad.net/keystone/+spec/key-distribution-server</a><o:p></o:p></span></p></div><div id=magicdomid118><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div id=magicdomid821><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>During today's project status meeting [1], the state of KDS was discussed [2]. To quote ttx directly: "we've been bitten in the past with late security-sensitive stuff" and "I'm a bit worried to ship late code with such security implications as a KDS." I share the same concern, especially considering the API only recently went up for formal review [3], and the WIP implementation is still failing smokestack [4].<o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal><br>Since KDS is a security tightening in acase where there is no security at all, adding it in can only improve security.<br><br>It is a relatively simple extension from the keystone side. THe corresponding change is in the client, and that has already merged.<br><br><br><o:p></o:p></p><div><div id=magicdomid600><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div id=magicdomid827><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>I'm happy to see the reviews in question continue to receive their fair share of attention over the next few weeks, but can (and should?) merging be delayed until icehouse while more security-focused eyes have time to review the code?<o:p></o:p></span></p></div><div id=magicdomid829><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div id=magicdomid1033><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>Ceilometer and nova would both be affected by a delay, as both have use cases for consuming trusted messaging [5] (a dependency of the bp in question).<o:p></o:p></span></p></div><div id=magicdomid1034><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div id=magicdomid1032><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>Thanks for you feedback!<o:p></o:p></span></p></div><div id=magicdomid1007><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div id=magicdomid273><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[1]: <a href="http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-08-13.log">http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-08-13.log</a><o:p></o:p></span></p></div><div id=magicdomid280><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[2]: <a href="http://paste.openstack.org/raw/44075/">http://paste.openstack.org/raw/44075/</a><o:p></o:p></span></p></div><div id=magicdomid499><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[3]: <a href="https://review.openstack.org/#/c/40692/">https://review.openstack.org/#/c/40692/</a><o:p></o:p></span></p></div><div id=magicdomid576><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[4]: <a href="https://review.openstack.org/#/c/37118/">https://review.openstack.org/#/c/37118/</a><o:p></o:p></span></p></div><div id=magicdomid970><p class=MsoNormal style='line-height:9.6pt'><span style='font-size:7.0pt;font-family:"Arial","sans-serif"'>[5]: <a href="https://blueprints.launchpad.net/oslo/+spec/trusted-messaging">https://blueprints.launchpad.net/oslo/+spec/trusted-messaging</a><o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>OpenStack-dev mailing list<o:p></o:p></pre><pre><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><o:p></o:p></pre><pre><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>