> > I don't understand. Users already have custody of their own keys. The > > only thing that Keystone/Nova has is the public key fingerprint [1], not > > the private key... > > You acatually have the public key, not just the fingerprint, but indeed > I do not see why abrbican should be involved here. apublic key does not > need the same level of protection of a private key or a symmetric > encryption key, so by storing this data in barbican we would only > needlessly expose barbican to more access patternsand more > logging/auditing volume than is needed. >
I believe you're confusing a couple of points here. In this case, for public keys, what matters is integrity. For the other cases that you mentioned, both integrity and confidentiality matter. I believe that given the high integrity requirements that it *does* make sense to store these in a more protected location. +1 for using Barbican -bryan
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
