[openstack-dev] Move keypair management out of Nova and into Keystone?

Simo Sorce simo at redhat.com
Tue Jul 2 17:40:13 UTC 2013

On Tue, 2013-07-02 at 08:12 -0700, Bryan D. Payne wrote:
>         > I don't understand. Users already have custody of their own
>         keys. The
>         > only thing that Keystone/Nova has is the public key
>         fingerprint [1], not
>         > the private key...
>         You acatually have the public key, not just the fingerprint,
>         but indeed
>         I do not see why abrbican should be involved here.  apublic
>         key does not
>         need the same level of protection of a private key or a
>         symmetric
>         encryption key, so by storing this data in barbican we would
>         only
>         needlessly expose barbican to more access patternsand more
>         logging/auditing volume than is needed.
> I believe you're confusing a couple of points here.  In this case, for
> public keys, what matters is integrity.  For the other cases that you
> mentioned, both integrity and confidentiality matter.  I believe that
> given the high integrity requirements that it *does* make sense to
> store these in a more protected location.
> +1 for using Barbican
If you do not trust keystone to give you the right information you have
already lost as keystone is used (afaik) to check for authorization

Can you be a little bit more explicit on the threat model you have in
mind and what guarantees Barbican would give you that would make it more
suitable to store public key than Keystone ?


Simo Sorce * Red Hat, Inc * New York

More information about the OpenStack-dev mailing list