[Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

Adam Young ayoung at redhat.com
Thu Aug 2 01:47:08 UTC 2012 

On 08/01/2012 09:19 PM, Maru Newby wrote:
> I see that support for PKI Signed Tokens has been added to Keystone 
> without support for token revocation.  I tried to raise this issue on 
> the bug report:
>
> https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
>
> And the review:
>
> https://review.openstack.org/#/c/7754/
>
> I'm curious as to whether anybody shares my concern and if there is a 
> specific reason why nobody responded to my question as to why 
> revocation is not required for this new token scheme.   Anybody?

It was discussed back when I wrote the Blueprint.  While it is possible 
to do revocations with PKI,  it is expensive and requires a lot of extra 
checking.  Revocation is a policy decision, and the assumption is that 
people that are going to use PKI tokens are comfortable with out 
revocation.  Kerberos service tickets have the same limitation, and 
Kerberos has been in deployment that way for close to 25 years.

Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against the 
needs for reasonable token timeout.

PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets revoked, a 
blast message would have to go out to all registered parties informing 
them of the revocation.  Keystone does not yet have a message queue 
interface, so doing that is prohibitive in the first implementation.

Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.


>
> Thanks,
>
>
> Maru
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120801/0f5e7991/attachment.html>

More information about the Openstack mailing list