[openstack-dev] [opnfv-tech-discuss] [Keystone][Multisite] Huge token size
Adam Young
ayoung at redhat.com
Tue Mar 17 13:57:14 UTC 2015
On 03/17/2015 03:30 AM, David Chadwick wrote:
> Encryption per se does not decrease token size, the best it can do is
> keep the token size the same size. So using Fernet tokens will not on
> its own alter the token size.
Fernet is striking a blanace. It is encruypting a subset of the data.
Not the whole payload of the PKI tokens. They are under 500 Bytes, with
a target of getting them under 255 bytes. Only Federation tokens should
be larger than 255 bytes.
> Reducing the size must come from putting
> less information in the token. If the token recipient has to always go
> back to Keystone to get the token validated, then all the token needs to
> be is a large random number that Keystone can look up in its database to
> retrieve the user's permissions. In this case no encryption is needed at
> all.
The Fernet goal is to remove that database. Instead, the data
associated with the token will be assembeld at verification time from
the small subset in the fernet token body and the data stored in the
Keystone server.
More information about the OpenStack-dev
mailing list