<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div style="word-wrap:break-word">Clearing up Certificate, public Key Confusion.
<div>Observe the diagram certs_and_keys.png or the dot file that generated it.</div>
<div></div>
</div>
<div><img src="cid:d7486824-b875-4679-a382-27f2b342a96d@RACKSPACE.CORP"> </div>
<div style="word-wrap:break-word">
<div></div>
<div><br>
</div>
<div><br>
</div>
<div></div>
</div>
<div style="word-wrap:break-word">
<div></div>
<div>You will notice that private keys contain the public keys inside them. </div>
<div>Most people think of asymmetric in terms of key pairs but in reality the </div>
<div>public key contains a few attributes of the private key. In Java bouncy</div>
<div>castle PrivateKeys are a subclass of Public key. In OpenSSL's C library</div>
<div>the same structure is used for both private and public with the exception</div>
<div>that the private attributes are nulled out when using the RSA structure </div>
<div>in a public context.</div>
<div><br>
</div>
<div>
<div><br>
</div>
</div>
<div> The point is that if you have the private key then you also have the</div>
<div>public key for free.</div>
<div><br>
</div>
<div>
<div><br>
</div>
</div>
<div> X509 certificates were meant to be a generic way of signing public</div>
<div>keys. By generic I mean to say that the SubjectPublicKeyInfo structure </div>
<div>has an Algorithm identifier that declares what type of public key is used.</div>
<div>In the example above the actual publicKey I'm showing how an </div>
<div>X509Certificate can use DSA RSA and Eliptic curves. If in the future a</div>
<div>new public key algorithm arrives it can be worked into X509 by assigning</div>
<div>a new publicKeyAlgorthm to it. So we should consider the case where users</div>
<div>may not be submitting an RSA x509 like were all used to. </div>
<div><br>
</div>
<div> So with this in mind it should noted that there is no private part</div>
<div>of a certificate. Everything in it(the x509) is public. Notice their are no</div>
<div>links to the private key from the x509. Perhaps this confusion came from</div>
<div>the fact that certs and private keys are usually installed together and</div>
<div>that this may have led to the confusion by interchanging the words vert </div>
<div>with public key since they may previously have known that every private_key</div>
<div>has an associated public_key. IE encrypt with the public key and decrypt with</div>
<div>the private key. Just keep in mind that in any future documents we</div>
<div>must be careful not to interchange the two words.</div>
<div>
<div> V</div>
</div>
<div> I would advocate we accept only Pem Encoded Certificates as it seems</div>
<div>pretty standard enough and it fits in a string . Be they their native </div>
<div>encodings such as PKCS1 or what ever RFC defined their encoding or the </div>
<div>more generic PKCS8. PKCS8 is flexible in that it can be used to store</div>
<div>different types of keys. Keep in mind that pkcs8 also allows for private</div>
<div>keys to be encrypted so any menthols that attempt to decode pkcs8 should</div>
<div>have an optional password field. </div>
<div><br>
</div>
<div> ^</div>
<div><br>
</div>
<div> In many cases the user of a service has a requirement that the private</div>
<div>key be generated on the decrypting machine(In this case our virtual </div>
<div>loadbalancer) and that the private key never leave this machine so we </div>
<div>should consider having the ability for our lbaas service (or Barbican) generate</div>
<div>the private key and return a CSR(pkcs10) for key back to the user for</div>
<div>signing. After signing this into an X509 the user will pass this</div>
<div>certificate back into our api and associate it with a key. In this</div>
<div>scenario even the user doesn't have access to their own key. Well unless</div>
<div>they query the API to fetch it out I suppose. :(</div>
<div>What are your thoughts on this. I know barbican aspires to be capable of</div>
<div>this I will talk with them tomorrow and see how far along they are.</div>
<div><br>
</div>
<div>Is any one going to start the blue print? If not does any one mind if I take a shot?</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div>On May 22, 2014, at 1:44 PM, Samuel Bercovici <<a href="mailto:SamuelB@Radware.com">SamuelB@Radware.com</a>></div>
<div> wrote:</div>
<br class="x_Apple-interchange-newline">
<blockquote type="cite">
<div lang="EN-US" style="font-family:Helvetica; font-size:medium; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:2; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">
<div class="x_WordSection1" style="">
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">Hi Everone,</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> </span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">I would like to defer addressing client authentication and back-end-server authentication for a 2<sup>nd</sup><span class="x_Apple-converted-space"> </span>phase – after Juno.</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">This means that from looking on<span class="x_Apple-converted-space"> </span><a href="https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7" style="color:purple; text-decoration:underline">https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7</a>,
under the “</span><span style="font-size:12pt; font-family:Cambria,serif">SSL/TLS Termination capabilities”, not addressing 2.2 and 3.</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">I think that this would reduce the “effort” of storing certificates information to the actual ones used for the termination.</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">We will leave the discussion on storing the required trusted certificates and CA chains for later.</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> </span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">Any objections?</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> </span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif">Regards,</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> -Sam.</span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> </span></div>
<div style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"> </span></div>
<p class="x_MsoNormal" style="margin:0in 0in 0.0001pt; font-size:11pt; font-family:Calibri,sans-serif">
<span style="font-size:12pt; font-family:Cambria,serif"></span></p>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</body>
</html>