[Openstack-security] Certificate life in OpenStack

Adam Young ayoung at redhat.com
Fri May 9 19:51:35 UTC 2014


On 05/08/2014 05:51 AM, David Chadwick wrote:
> I dont think there is a correct answer to this. In general you have to
> pick a time (any time) that will cater for the majority of transactions,
> and then have some sort of refresh mechanism for those that are longer
> than this. If you pick too long a time then people will start to ask for
> a revocation facility (as happened in the grid for proxy certificates),
> which negates the point of having short lived certificates in the first
> place
>
> regards

I'd like to make the distinction between Authentication and 
Authorization here.   Certificates really should be just used for 
Authentication, with another server performing authorization work.

David has much more specific language for this, but keeping it in terms 
of Keystone:  certificates should be relatively long lived. Tokens are 
short lived.  What David said about proxy certs is true for Keystone 
tokens as well.

Keystone's job is to enforce short duration confirmation of attributes 
specific to OpenStack that can be used to check policy at a decision 
point.  It is the lifetime of these attributes that should be considered 
ephemeral.

Certificates currently are used for SSL and Keystone token signing. In 
both these cases, we would be wise to add on CRL checking (OCSP is 
possible, but probably not right for OpenStack, as we tend to need bulk).




>
> David
>
> On 08/05/2014 10:10, Clark, Robert Graham wrote:
>> We are looking at various appliocations of short-life certificates in
>> OpenStack, an idea I've discussed with a few members of the OpenStack
>> Security Group previously.
>>
>> Has anyone done any analysis on what the shortest lifespan you can
>> generally get away with, or to put it another way, what's the longest
>> operation that ever happens with an individual certificate?
>>
>> I'm sure this will vary by service but very curious to see what others
>> have done.
>>
>> -Rob
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security





More information about the Openstack-security mailing list