<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-text-html" lang="x-unicode">
<p><br>
</p>
<div class="moz-cite-prefix">On 30/08/18 6:29 AM, Lance Bragstad
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE6oFcGizi77RquTmpjbaMn74zYatyz91+Jf872=72HmuEGBDQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0

.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US">
<div class="m_329163095983434052WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Is
that what is being described here ? <a
href="https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html"
target="_blank">
https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html</a></span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>This is a separate mechanism for storing secrets, not
necessarily passwords (although I agree the term
credentials automatically makes people assume passwords).
This is used if consuming keystone's native MFA
implementation. For example, storing a shared secret
between the user and keystone that is provided as a
additional authentication method along with a username and
password combination.</div>
<div> </div>
</div>
</div>
</blockquote>
<p>Is there any interest or plans to potentially allow Keystone's
credential store to use Barbican as a storage provider?
Encryption already is better than nothing, but if you already
have (or will be deploying) a proper secret store with a
hardware backend (or at least hardware stored encryption keys)
then it might make sense to throw that in Barbican.<br>
<br>
Or is this also too much of a chicken/egg problem? How safe is
it to rely on Barbican availability for MFA secrets and auth?<br>
</p>
</div>
</body>
</html>