The issue is that _if_ you're also running the EC2 API over non-SSL (which is supposed to be safe - other than for replay attacks?), then you send the api_key in the clear (the api_secret remains secret because it's only 'passed' via the one-way-hashed signature.) However, api_key is currently the OpenStack 'secret'/'password' (!). So although we're not exposing the EC2 api_secret, using the EC2 API could expose a rather important piece of information for the OpenStack API.<div>
<br>I don't think it's a critical vulnerability (hence it's in public channels), but I believe it needs to be fixed.</div><div><br></div><div>Irrespective of the vulnerability, I think we should still have one set of user credentials.</div>
<div><br></div><div>Justin<br>
<br><br><div class="gmail_quote">On Wed, Feb 23, 2011 at 7:51 PM, Chuck Thier <span dir="ltr"><<a href="mailto:cthier@gmail.com">cthier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span style="border-collapse:collapse;font-family:arial, sans-serif;font-size:13px"><div>
<br></div>
<div>However, I think we want the same credentials for users ('username' & 'password'), irrespective of the API (or auth protocol) they're using. I think the weird terminology is what got us into the odd situation in which we now find ourselves where there are two sets of credentials (and one set exposes the secret of the other set!)</div>
<div><br></div></span></blockquote><div><br></div></div><div>The exposing of the secret is not true, they are just named differently. Lets pretend you want to generalize the naming of everything via the EC2 api (api_key, api_secret). If you switch to using OpenStack auth, then you would send the api_key as the username, and the api_secret as the api_key. There is no exposure of the secret key.</div>
<div><br></div><div>--</div><div>Chuck</div></div>
</blockquote></div><br></div>