<span style>Hi Adam,</span><div style><br></div><div style>Can you please clarify the following in PKI blueprint?</div><div style><br></div><div style><br></div><div style>1) Do you assume that roles won't be changed after getToken and before validateToken?</div>
<div style><br></div><div style><!--</div><div style><span style="line-height:18px;color:rgb(83,83,83);font-size:14px;font-family:sans-serif"><p>if the token contains just the following data :</p><ul><li style="margin-left:15px;list-style-type:none;list-style-position:initial">
{username: admiyo,tenant: Fedora,expires: 2359:05May2012, roles: [admin,editor]}</li></ul><p>This message is then encrypted with Keystones private key. Any service that has Keystones public key can decrypt the message. Since it is decrypted with the public key, it had to be encrypted by Keystone, and is therefore valid. The Keystone Certificate only has to be distributed once to each service, and can be fetched on demand.</p>
<p>--></p><p>What is keystone private key? Do you mean user private key?</p></span><span style="line-height:18px;color:rgb(83,83,83);font-size:14px;font-family:sans-serif"><!--</span><span style="line-height:18px;color:rgb(83,83,83);font-size:14px;font-family:sans-serif">When a user is created in Keystone, they will be given a one-time-password that they will then use to establish a key-pair. Only the Public Key will be stored on the Keystone server, the Private key will only be stored on the end users system. The public key will be signed by the certificate authority (X509) and then stored in the Keystone system. From this point on, when authenticating to Keystone, the user will use the client certificate.</span></div>
<div style><font color="#535353" face="sans-serif"><span style="font-size:14px;line-height:18px">--><br></span></font></div><div style><span style="line-height:18px;color:rgb(83,83,83);font-size:14px;font-family:sans-serif"><p>
1) Why do we need to store users client cert in keystone system? BTW what do you mean by keystone system? Is it keystone server? or any system like swift/nova which uses keystone to authenticate </p></span><div><br>
</div><div>Thanks</div></div><br><div class="gmail_quote">On Tue, May 15, 2012 at 6:09 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Well, the PKI pieces are the same regardless of the CA and
certificate issuing pieces. All we will need to do is to use a
signing key to sign a document. So EJBCA or Dogtag will work
equally as well. If people already have a CA infrastructure, they
should be able to leverage that, too.<div><div class="h5"><br>
<br>
<br>
On 05/15/2012 04:47 PM, Thor Wolpert wrote:
<blockquote type="cite">If you're open to levarging other OSS projects, <a href="http://www.ejbca.org/architecture.html" target="_blank">http://www.ejbca.org/architecture.html</a>
us a great one to look at, assuming you need a PKI implementation
available.
<div>
<br>
</div>
<div>I believe it is at least worth a look.<br>
<br>
<div class="gmail_quote">On Tue, May 15, 2012 at 1:30 PM,
Razique Mahroua <span dir="ltr"><<a href="mailto:razique.mahroua@gmail.com" target="_blank">razique.mahroua@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-family:Lucida Grande;font-size:11pt" bgcolor="#FFFFFF" text="#000000">
<div style="font-size:11pt;font-family:Lucida Grande"><span style="font-family:Lucida Grande">great topic :)<br>
<br>
</span><br>
<blockquote style="border:0px none" type="cite">
<div style="margin:30px 25px 10px 25px">
<div style="display:table;width:100%;border-top:1px solid #edeef0;padding-top:5px">
<div style="display:table-cell;vertical-align:middle;padding-right:6px"><img name="1375331ded1a2ba0_137523c10e7871b5_postbox-contact.jpg" height="25px" width="25px"></div>
<div style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a href="mailto:heckj@mac.com" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Joseph Heck</a></div>
<div style="display:table-cell;white-space:nowrap;vertical-align:middle">
<font color="#9FA2A5"><span style="padding-left:6px">15 mai 2012 21:06</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px">
<div>Coming out of the Keystone meeting from today (<a href="http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html" target="_blank">http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html</a>),
I thought it worth mentioning that adam young has
been doing some tremendous lifting in terms of
looking at adding in PKI support to Keystone. The
writeup and details are on the OpenStack wiki at <a href="http://wiki.openstack.org/PKI" target="_blank">http://wiki.openstack.org/PKI</a><br>
<br>
I rather suspect there's a lot of interest in this
topic, so I wanted to make sure the broader
community knew about the effort, what we were
thinking, and were we are. <br>
<br>
If you're interested in discussing, the keystone
meeting is on Tuesday mornings at 18:00 UTC<br>
<br>
-joe<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><span><font color="#888888"><br>
</font></span></div>
</div>
</blockquote>
<span><font color="#888888"><br>
<div>-- <br>
<span><span style="font-family:Lucida Grande">Nuage
& Co - Razique Mahroua <br>
<span style="font-weight:bold"><a href="mailto:razique.mahroua@gmail.com" target="_blank">razique.mahroua@gmail.com</a></span></span><span style="color:rgb(51,153,153)"></span><span style="font-family:monospace"></span></span><br>
<br>
<div><span style="font-family:monospace">
</span><img name="1375331ded1a2ba0_137523c10e7871b5_image.jpg" alt=""></div>
<br>
<br>
</div>
</font></span></div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br>