Open Stack

I think there is no agreed naming to differentiate between authn and
authz tokens/certificates/claims/assertions, and in protocols such as
SAML, the token/certificate/claim/assertion performs both authn and
authz tasks, which makes it even more unclear.

We could agree on different names for use within the Openstack|Keystone
domain for the authn and authz blobs, but I dont think that would be
necessarily helpful. Rather context could imply which one you are
talking about, or alternatively the adjectives authn and authz could be
used to differentiate when context is insufficient.

regards

David


On 09/05/2014 20:51, Adam Young wrote:
> On 05/08/2014 05:51 AM, David Chadwick wrote:
>> I dont think there is a correct answer to this. In general you have to
>> pick a time (any time) that will cater for the majority of transactions,
>> and then have some sort of refresh mechanism for those that are longer
>> than this. If you pick too long a time then people will start to ask for
>> a revocation facility (as happened in the grid for proxy certificates),
>> which negates the point of having short lived certificates in the first
>> place
>>
>> regards
> 
> I'd like to make the distinction between Authentication and
> Authorization here.   Certificates really should be just used for
> Authentication, with another server performing authorization work.
> 
> David has much more specific language for this, but keeping it in terms
> of Keystone:  certificates should be relatively long lived. Tokens are
> short lived.  What David said about proxy certs is true for Keystone
> tokens as well.
> 
> Keystone's job is to enforce short duration confirmation of attributes
> specific to OpenStack that can be used to check policy at a decision
> point.  It is the lifetime of these attributes that should be considered
> ephemeral.
> 
> Certificates currently are used for SSL and Keystone token signing. In
> both these cases, we would be wise to add on CRL checking (OCSP is
> possible, but probably not right for OpenStack, as we tend to need bulk).
> 
> 
> 
> 
>>
>> David
>>
>> On 08/05/2014 10:10, Clark, Robert Graham wrote:
>>> We are looking at various appliocations of short-life certificates in
>>> OpenStack, an idea I've discussed with a few members of the OpenStack
>>> Security Group previously.
>>>
>>> Has anyone done any analysis on what the shortest lifespan you can
>>> generally get away with, or to put it another way, what's the longest
>>> operation that ever happens with an individual certificate?
>>>
>>> I'm sure this will vary by service but very curious to see what others
>>> have done.
>>>
>>> -Rob
>>>
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>