I'm opposed -- there's no benefit to this being in cryptography itself; this API can be totally implemented outside of it.
Alex On Mon, Dec 19, 2016 at 4:17 PM, Boris Bobrov <bbob...@mirantis.com> wrote: > Hi! > > I work on OpenStack Keystone. We use Fernet keys for our tokens. A > token is a basically a tuple encrypted with fernet key. > > Fernet keys need to be rotated once in a while. Now we store them on > disk. But it is problematic to rotate them in containers, because > containers are supposed to be immutable. > > So idea of key storages came up. For example, we could store the > keys in a database. Or in OpenStack Barbican, which is a REST API > designed for the secure storage, provisioning and management of > secrets such as encryption keys. Or in Custodia, > https://github.com/latchset/custodia > > However, it doesn't sound like this should be in Keystone. It is > not keystone-specific and all Fernet keys users will probably > benefit of that. What do you think about adding this sort of > functionality to cryptography? > > The idea is to define an abstract class in cryptography for a storage. > An instance of storage will be passed to MultiFernet, which will > read the keys from there, create individual instances of > fernet.Fernet and perform all the usual stuff. Storage classes can > be implemented inside cryptography or outside of it. > > What do you think about this? > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
