<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>FWIW, instead of barbican, castellan could be used as a key
      manager.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 08/30/2018 12:23 PM, Adrian Turjak
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:173ad63d-e69c-735b-c286-c8a98a024aad@catalyst.net.nz">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div class="moz-text-html" lang="x-unicode">
        <p><br>
        </p>
        <div class="moz-cite-prefix">On 30/08/18 6:29 AM, Lance Bragstad
          wrote:<br>
        </div>
        <blockquote type="cite"
cite="mid:CAE6oFcGizi77RquTmpjbaMn74zYatyz91+Jf872=72HmuEGBDQ@mail.gmail.com">
          <div dir="ltr">
            <div class="gmail_quote">
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div bgcolor="white" lang="EN-US">
                  <div class="m_329163095983434052WordSection1">
                    <p class="MsoNormal"><span style="font-size:11.0pt">Is
                        that what is being described here ?  <a
href="https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html"
                          target="_blank" moz-do-not-send="true">
https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html</a></span></p>
                  </div>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>This is a separate mechanism for storing secrets, not
                necessarily passwords (although I agree the term
                credentials automatically makes people assume
                passwords). This is used if consuming keystone's native
                MFA implementation. For example, storing a shared secret
                between the user and keystone that is provided as a
                additional authentication method along with a username
                and password combination.</div>
              <div> </div>
            </div>
          </div>
        </blockquote>
        <p>Is there any interest or plans to potentially allow
          Keystone's credential store to use Barbican as a storage
          provider? Encryption already is better than nothing, but if
          you already have (or will be deploying) a proper secret store
          with a hardware backend (or at least hardware stored
          encryption keys) then it might make sense to throw that in
          Barbican.<br>
          <br>
          Or is this also too much of a chicken/egg problem? How safe is
          it to rely on Barbican availability for MFA secrets and auth?<br>
        </p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>