[Openstack-security] Certificate life in OpenStack
David Chadwick
d.w.chadwick at kent.ac.uk
Thu May 8 09:51:32 UTC 2014
I dont think there is a correct answer to this. In general you have to
pick a time (any time) that will cater for the majority of transactions,
and then have some sort of refresh mechanism for those that are longer
than this. If you pick too long a time then people will start to ask for
a revocation facility (as happened in the grid for proxy certificates),
which negates the point of having short lived certificates in the first
place
regards
David
On 08/05/2014 10:10, Clark, Robert Graham wrote:
> We are looking at various appliocations of short-life certificates in
> OpenStack, an idea I've discussed with a few members of the OpenStack
> Security Group previously.
>
> Has anyone done any analysis on what the shortest lifespan you can
> generally get away with, or to put it another way, what's the longest
> operation that ever happens with an individual certificate?
>
> I'm sure this will vary by service but very curious to see what others
> have done.
>
> -Rob
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
More information about the Openstack-security
mailing list