<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.xapple-converted-space
{mso-style-name:x_apple-converted-space;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1138646599;
mso-list-type:hybrid;
mso-list-template-ids:-344158566 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Carlos,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I am working to update the wiki (<a href="https://wiki.openstack.org/wiki/Neutron/LBaaS/SSL">https://wiki.openstack.org/wiki/Neutron/LBaaS/SSL</a> ) to include
all the information bellow and the discussions from the summit.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I think that I will be done by tomorrow and will want initial feedback on ML before I create the blue print for this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The key changes are:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All APIs start with TLS<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Remove the client authentication and backend server authentication<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Merging the “old” proposal with Stephen’s proposal<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Assuming the X509+key can be referenced as a single ID available from Barbican<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Evgeny<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Carlos Garza [mailto:carlos.garza@rackspace.com]
<br>
<b>Sent:</b> Friday, May 23, 2014 6:39 AM<br>
<b>To:</b> Samuel Bercovici<br>
<b>Cc:</b> OpenStack Development Mailing List (not for usage questions); Evgeny Fedoruk<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Clearing up Certificate, public Key Confusion. <o:p></o:p></p>
<div>
<p class="MsoNormal">Observe the diagram certs_and_keys.png or the dot file that generated it.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><img border="0" width="1177" height="711" id="_x0000_i1025" src="cid:image001.png@01CF79D6.A81DA0F0"><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">You will notice that private keys contain the public keys inside them. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Most people think of asymmetric in terms of key pairs but in reality the <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">public key contains a few attributes of the private key. In Java bouncy<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">castle PrivateKeys are a subclass of Public key. In OpenSSL's C library<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">the same structure is used for both private and public with the exception<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">that the private attributes are nulled out when using the RSA structure <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">in a public context.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> The point is that if you have the private key then you also have the<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">public key for free.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> X509 certificates were meant to be a generic way of signing public<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">keys. By generic I mean to say that the SubjectPublicKeyInfo structure <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">has an Algorithm identifier that declares what type of public key is used.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">In the example above the actual publicKey I'm showing how an <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">X509Certificate can use DSA RSA and Eliptic curves. If in the future a<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">new public key algorithm arrives it can be worked into X509 by assigning<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">a new publicKeyAlgorthm to it. So we should consider the case where users<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">may not be submitting an RSA x509 like were all used to. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> So with this in mind it should noted that there is no private part<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">of a certificate. Everything in it(the x509) is public. Notice their are no<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">links to the private key from the x509. Perhaps this confusion came from<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">the fact that certs and private keys are usually installed together and<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">that this may have led to the confusion by interchanging the words vert <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">with public key since they may previously have known that every private_key<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">has an associated public_key. IE encrypt with the public key and decrypt with<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">the private key. Just keep in mind that in any future documents we<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">must be careful not to interchange the two words.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> V<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> I would advocate we accept only Pem Encoded Certificates as it seems<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">pretty standard enough and it fits in a string . Be they their native <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">encodings such as PKCS1 or what ever RFC defined their encoding or the <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">more generic PKCS8. PKCS8 is flexible in that it can be used to store<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">different types of keys. Keep in mind that pkcs8 also allows for private<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">keys to be encrypted so any menthols that attempt to decode pkcs8 should<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">have an optional password field. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> ^<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> In many cases the user of a service has a requirement that the private<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">key be generated on the decrypting machine(In this case our virtual <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">loadbalancer) and that the private key never leave this machine so we <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">should consider having the ability for our lbaas service (or Barbican) generate<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">the private key and return a CSR(pkcs10) for key back to the user for<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">signing. After signing this into an X509 the user will pass this<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">certificate back into our api and associate it with a key. In this<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">scenario even the user doesn't have access to their own key. Well unless<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">they query the API to fetch it out I suppose. :(<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">What are your thoughts on this. I know barbican aspires to be capable of<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">this I will talk with them tomorrow and see how far along they are.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is any one going to start the blue print? If not does any one mind if I take a shot?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On May 22, 2014, at 1:44 PM, Samuel Bercovici <<a href="mailto:SamuelB@Radware.com">SamuelB@Radware.com</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Hi Everone,</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">I would like to defer addressing client authentication and back-end-server authentication for a 2<sup>nd</sup><span class="xapple-converted-space"> </span>phase – after Juno.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">This means that from looking on<span class="xapple-converted-space"> </span><a href="https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7"><span style="color:purple">https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7</span></a>,
under the “SSL/TLS Termination capabilities”, not addressing 2.2 and 3.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">I think that this would reduce the “effort” of storing certificates information to the actual ones used for the termination.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">We will leave the discussion on storing the required trusted certificates and CA chains for later.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Any objections?</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Regards,</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> -Sam.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Cambria","serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>