[openstack-dev] Move keypair management out of Nova and into Keystone?

Jay Pipes jaypipes at gmail.com
Tue Jul 2 15:22:34 UTC 2013

On 07/02/2013 11:12 AM, Bryan D. Payne wrote:
>      > I don't understand. Users already have custody of their own keys. The
>      > only thing that Keystone/Nova has is the public key fingerprint
>     [1], not
>      > the private key...
>     You acatually have the public key, not just the fingerprint, but indeed
>     I do not see why abrbican should be involved here.  apublic key does not
>     need the same level of protection of a private key or a symmetric
>     encryption key, so by storing this data in barbican we would only
>     needlessly expose barbican to more access patternsand more
>     logging/auditing volume than is needed.
> I believe you're confusing a couple of points here.  In this case, for
> public keys, what matters is integrity.  For the other cases that you
> mentioned, both integrity and confidentiality matter.  I believe that
> given the high integrity requirements that it *does* make sense to store
> these in a more protected location.
> +1 for using Barbican
> -bryan

Simo just got finished saying Barbican was *not* the correct place to 
put this information...


More information about the OpenStack-dev mailing list