[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change Iae94329e7abd105bf95224d28f39f4b746b9eb70

Thomas Biege thomas at suse.de
Mon Sep 16 21:17:08 UTC 2013 

On 12.09.13 07:07, Andrew Nielsen wrote:
> It would be much better to generate a self-signed cert on the fly than to allow plain text by default. The people who are truly security conscious will have the skills, discipline, and expertise to deal with a CA file. For those who don't want any security, it should be a conscious choice to turn it off. A little inconvenience with BTNS is better that OpenStack being labeled as insecure. 
> 

+1

Thomas


> Apologies if I am not using the correct reply format. 
> 
> Regards,
> Drew
> 
> Sent from my iPad
> 
> On Sep 11, 2013, at 21:04, "Jeffrey Walton" <noloader at gmail.com> wrote:
> 
>>>    This adds the ability to specify a CA file that will be used to verify a
>>>    HTTPS connections or insecure to specifically ignore HTTPS validation.
>> CA file is good, especially if the organization is running its own PKI.
>>
>> I'm not sure about the other state: no CA means plain text everything.
>>
>> I'm wondering if a better choice would be to generate a self-signed on
>> the fly to provide better than nothing security (BTNS).
>>
>> For those who insist on plain text connections, make them shoot
>> themselves in the foot by altering a configuration file.
>>
>> (Sorry about the Gerrit reply. I don't know how to comment on a
>> concept rather than a particular source file).
>>
>> On Wed, Sep 11, 2013 at 10:07 PM,  <gerrit2 at review.openstack.org> wrote:
>>>
>>> Hi, I'd like you to take a look at this patch for potential
>>> SecurityImpact.
>>> https://review.openstack.org/34161
>>>
>>> Log:
>>> commit 20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
>>> Author: Jamie Lennox <jlennox at redhat.com>
>>> Date:   Mon Aug 12 13:12:27 2013 +1000
>>>
>>>    Replace HttpConnection in auth_token with Requests
>>>
>>>    Requests is becoming the standard way of doing http communication, it
>>>    also vastly simplifies adding other authentication mechanisms. Use it in
>>>    the auth_token middleware.
>>>
>>>    This adds the ability to specify a CA file that will be used to verify a
>>>    HTTPS connections or insecure to specifically ignore HTTPS validation.
>>>
>>>    SecurityImpact
>>>    DocImpact
>>>    Partial-Bug: #1188189
>>>    Change-Id: Iae94329e7abd105bf95224d28f39f4b746b9eb70
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 


-- 
Thomas Biege <thomas at suse.de>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 560 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130916/54078416/attachment.sig>

More information about the Openstack-security mailing list