<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/28/2014 02:07 PM, Pitucha,
Stanislaw Izaak wrote:<br>
</div>
<blockquote
cite="mid:F2CEBDD2D596EC45A4D5479F72C865C501006445@G2W2436.americas.hpqcorp.net"
type="cite">
<pre wrap="">Hi all,
I've seen some blueprints/wikis from people interested in certificate
signing via barbican orders, so hopefully you'll have some feedback.
I submitted a proposal for certificate/signing order API at
<a class="moz-txt-link-freetext" href="https://review.openstack.org/90613">https://review.openstack.org/90613</a> (based on previous Arvind's work with
keys)</pre>
</blockquote>
<br>
Good stuff.<br>
<br>
<blockquote
cite="mid:F2CEBDD2D596EC45A4D5479F72C865C501006445@G2W2436.americas.hpqcorp.net"
type="cite">
<pre wrap="">
It's not pretty and needs some more details, but it's there :)
There are some things I wasn't really sure how to handle, so here's my
reasoning you may have an opinion on:
1. The keys for generating a new certificate request + signing could be
handled inside of the generate+sign order. This would require fewer requests
than uploading a key as a secret first, but on the other hand, there's
already an api for generating those keys, so it would be nice to just
reference the key potentially already generated by barbican. I went with
posting an id reference to the key.</pre>
</blockquote>
Lets not reinvent a format here. Certmonger can already do that
stuff client side, so lets just focus on getting the request to the
server, signed, and returned.<br>
<br>
<br>
<blockquote
cite="mid:F2CEBDD2D596EC45A4D5479F72C865C501006445@G2W2436.americas.hpqcorp.net"
type="cite">
<pre wrap="">
2. The signing-only request takes the pkcs10-style csr inline in its meta
part. I thought about treating it that same as the key decision above, but
thought this would be wrong. The request isn't really secret - it doesn't
contain any private data, so it would be incorrect to treat it the same as
keys.</pre>
</blockquote>
Correct. This should be simpler than a Keys escrow call: you might
want to do key escrow for encryption keys that get signed this way,
but that could used the existing mechanism via a separate call,
either prior or after. Prior might be the way to go: "if you
request a certificate with an encryption attribute, you need to have
submitted the key for escrow."<br>
<blockquote
cite="mid:F2CEBDD2D596EC45A4D5479F72C865C501006445@G2W2436.americas.hpqcorp.net"
type="cite">
<pre wrap="">
On the other hand, having one order to generate a CSR and one to sign it
would be a cleaner design without a mix of attributes that are required or
not depending on the use case.
In this case the first option won - just include it as inline - generation
of the request by barbican is unlikely to be a very common case.
Otherwise, if you're interested in certificate orders, please have a look
and see if the proposed api is missing any parts you would like to see.
Maybe we can figure it out before the coding starts :)</pre>
</blockquote>
Lets get the basics down: process a CSR. We still need to handle
the workflow for approval.<br>
<br>
<br>
<blockquote
cite="mid:F2CEBDD2D596EC45A4D5479F72C865C501006445@G2W2436.americas.hpqcorp.net"
type="cite">
<pre wrap="">
Regards,
Stanisław Pitucha
Cloud Services
Hewlett Packard
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>