[Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
Adam Young
ayoung at redhat.com
Thu Aug 2 01:47:08 UTC 2012
On 08/01/2012 09:19 PM, Maru Newby wrote:
> I see that support for PKI Signed Tokens has been added to Keystone
> without support for token revocation. I tried to raise this issue on
> the bug report:
>
> https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
>
> And the review:
>
> https://review.openstack.org/#/c/7754/
>
> I'm curious as to whether anybody shares my concern and if there is a
> specific reason why nobody responded to my question as to why
> revocation is not required for this new token scheme. Anybody?
It was discussed back when I wrote the Blueprint. While it is possible
to do revocations with PKI, it is expensive and requires a lot of extra
checking. Revocation is a policy decision, and the assumption is that
people that are going to use PKI tokens are comfortable with out
revocation. Kerberos service tickets have the same limitation, and
Kerberos has been in deployment that way for close to 25 years.
Assuming that PKI ticket lifespan is short enough, revocation should
not be required. What will be tricky is to balance the needs of long
lived tokens (delayed operations, long running operations) against the
needs for reasonable token timeout.
PKI Token revocation would look like CRLs in the Certificate world.
While they are used, they are clunky. Each time a token gets revoked, a
blast message would have to go out to all registered parties informing
them of the revocation. Keystone does not yet have a message queue
interface, so doing that is prohibitive in the first implementation.
Note that users can get disabled, and token chaining will no longer
work: you won't be able to use a token to get a new token from Keystone.
>
> Thanks,
>
>
> Maru
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120801/0f5e7991/attachment.html>
More information about the Openstack
mailing list