Re: [Openstack] Keystone, pki tokens and memcache

[Adam Young]

On 06/17/2013 12:27 AM, Sam Morrison wrote:

I'm currently looking into Grizzly and have been having some issues getting PKI 
tokens to work.

If I have memcache as the token backend keystone issues uuid based tokens, if I 
have sql as the backend then it issues PKI tokens.

Does this mean you can't use memcache backend if you want to use PKI tokens?

Cheers,
Sam


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
You are making additional configuration changes beyond the Backend. The 
config options for PKI vs UUID is defined in keystone/common/config.py



'token_format', group='signing', default=PKI

The Backend is in the same place:

'driver', group='token', default='keystone.token.backends.sql.Token'


So to set UUID tokens, in the config file,
[signing]
token_format=UUID

or explicitly

[signing]
token_format=PKI


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone, pki tokens and memcache

[Sam Morrison]

On 18/06/2013, at 1:18 AM, Adam Young ayo...@redhat.com wrote:

 On 06/17/2013 12:27 AM, Sam Morrison wrote:
 I'm currently looking into Grizzly and have been having some issues getting 
 PKI tokens to work.
 
 If I have memcache as the token backend keystone issues uuid based tokens, 
 if I have sql as the backend then it issues PKI tokens.
 
 Does this mean you can't use memcache backend if you want to use PKI tokens?
 
 Cheers,
 Sam
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp
 You are making additional configuration changes beyond the Backend. The 
 config options for PKI vs UUID is defined in keystone/common/config.py
 
 
 'token_format', group='signing', default=PKI
 
 The Backend is in the same place:
 
 'driver', group='token', default='keystone.token.backends.sql.Token'
 
 
 So to set UUID tokens, in the config file,
 [signing]
 token_format=UUID
 
 or explicitly
 
 [signing]
 token_format=PKI

Yeah I had token_format set. I switched back to memcache and it started 
working, not sure what is going on there. Will see if I can replicate.

Cheers,
Sam





___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone PKI support

[Adam Young]

On 09/04/2012 09:36 AM, boden wrote:

Hi,

I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented (https://blueprints.launchpad.net/keystone/+spec/pki) and
I've browsed some of the related code dropped into master.

However its not clear to me exactly where this PKI support stands as I
haven't found any docs on setting up the services to use it, nor am I
seeing PKI based tokens used when I run with the latest keystone code.

Is it safe to assume PKI will be supported for folsom and we will see
some updated docs in due time? If so will there be any known limitations?

Thx much


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


The PKI token code is very new.  As such, It has not been enabled by 
default.  There are changes that have gone in to the master branch that 
are not available on Folsom 3 that are necessary to the proper 
functioning of PKI.


I wrote to the Fedora cloud mailing list a quicjk blurb on testing them.

http://www.spinics.net/linux/fedora/fedora-cloud/msg01644.html

I will write up some more detailed steps for general usage.



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Maru Newby]

Hi Adam,

The blueprint as revised to address Joe's comments looks good to me - nice 
work.  I especially like how the middleware is intended to cache the revocation 
list for a configurable amount of time - it mirrors how token caching already 
works.

Cheers,


Maru

On 2012-08-07, at 10:09 AM, Adam Young wrote:

 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone without 
 support for token revocation.  I tried to raise this issue on the bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation is 
 not required for this new token scheme.   Anybody?
 
 I have written up a blueprint for PKI token revocation.  Please provide 
 feedback.
 
 
 https://blueprints.launchpad.net/keystone/+spec/pki-revoke
 
 
 Thanks,
 
 
 Maru
 
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue on 
the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is a 
specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


I have written up a blueprint for PKI token revocation.  Please provide 
feedback.



https://blueprints.launchpad.net/keystone/+spec/pki-revoke



Thanks,


Maru




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/02/2012 10:54 PM, Nathanael Burton wrote:


Adam,

I haven't yet had a chance to review how the new PKI signed tokens is 
implemented, but what you're describing sounds quite similar to online 
certificate status protocol (OCSP) but for tokens.




Yes, I don't really have new idea here, just reimplementaiton of ideas 
from other projects.



Nate

On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:


On 08/01/2012 11:05 PM, Maru Newby wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware
that what I perceive as a very serious security concern was
openly discussed.  The arguments against revocation support, as
you've described them, seem to be:

 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the
potential security hole that a lack of revocation represents, but
I suppose a 'short enough' token lifespan could minimize that
hole.  But how short a span are you suggesting as being acceptable?

The delay between when a user's access permissions change
(whether roles, password or even account deactivation) and when
the ticket reflects that change is my concern.  The default in
Keystone has been 24h, which is clearly too long.  Something on
the order of 5 minutes would be ideal, but then ticket issuance
could become the bottleneck.  Validity that's much longer could
be a real problem, though.  Maybe not at the cloud administration
level, but for a given project I can imagine someone being fired
and their access being revoked.  How long is an acceptable period
for that ticket to still be valid?  How much damage could be done
by someone who should no longer have access to an account if
their access cannot be revoked, by anyone, at all?



I realize that I had been thinking about the revocation list as
something that needs to be broadcast.  This is certainly not the case.

A much better approach would be for the Keystone server to have a
list of revoked tokens exposed in an URL.  Then, as service like
Glance or Nova can query the Revocation list on a simple
schedule.  The time out would be configurable, of course.

There is a question about what to do if the keystone server cannot
be reached during that interval.  Since the current behavior is
for authentication to fail,  I suppose we would continue doing
that,  but also wait a random amount of time and then requery the
Keystone server.

In the future, I would like to make the set of Keystone servers a
configurable list, and the policy for revocation checking should
be able to vary per server:  some Keystone servers in a federated
approach might not be accessible.  In those cases,  it might be
necessary for one Keystone server to proxy the revocation list for
another server.

Let me know if this scheme makes sense to you.  If so, we can
write it up as an additional blueprint.  It should not be that
hard to implement.




I'm hearing that you, as the implementer of this feature, don't
consider the lack of revocation to be an issue.  What am I
missing?  Is support for revocation so repugnant that the
potential security hole is preferable?  I can see that from a
developer's perspective, but I don't understand why someone
deploying Keystone wouldn't avoid PKI tokens until revocation
support became available.

Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:

I see that support for PKI Signed Tokens has been added to
Keystone without support for token revocation.  I tried to
raise this issue on the bug report:

https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if
there is a specific reason why nobody responded to my question
as to why revocation is not required for this new token scheme.
  Anybody?


It was discussed back when I wrote the Blueprint.  While it is
possible to do revocations with PKI,  it is expensive and
requires a lot of extra checking.  Revocation is a policy
decision, and the assumption is that people that are going to
use PKI tokens are comfortable with out revocation.  Kerberos
service tickets have the same limitation, and Kerberos has been
in deployment that way for close to 25 years.

Assuming that PKI ticket lifespan is short enough,  revocation
should not be required.  What will be tricky is to balance the
needs of long lived tokens (delayed operations, long running
operations) against the needs for reasonable token timeout.

PKI Token revocation would look like CRLs in the 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Joseph Heck]

Hey Maru,

I think you're putting too many words in Adam's mouth here. First, Adam didnt 
assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the 
first cut and not in the list that we agreed was critically essential to an 
initial implementation. As you noted, its a complex and somewhat tricky issue 
to get right.

There's always room for more participation to correct the flaws you see in the 
existing system - the beauty of open source. I would love to see continued work 
on the signing and revocation work to drive in these features that mean so much 
to you.  I'd be happy to open a blueprint if you can stand behind it, define 
what you think it required, and commit to the work to implement that revocation 
mechanism.

Implying negative emotions on Adam's part when he's been one driving the 
implementation and doing the work is simply inappropriate. Please consider the 
blueprint route, definition of a viable solution, and work to make it happen 
instead of name calling and asserting how the developers doing the work are 
screwing up.

- joe

On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote:
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what I 
 perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is clearly 
 too long.  Something on the order of 5 minutes would be ideal, but then 
 ticket issuance could become the bottleneck.  Validity that's much longer 
 could be a real problem, though.  Maybe not at the cloud administration 
 level, but for a given project I can imagine someone being fired and their 
 access being revoked.  How long is an acceptable period for that ticket to 
 still be valid?  How much damage could be done by someone who should no 
 longer have access to an account if their access cannot be revoked, by 
 anyone, at all?
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation support 
 became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone without 
 support for token revocation.  I tried to raise this issue on the bug 
 report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation is 
 not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra 
 checking.  Revocation is a policy decision, and the assumption is that 
 people that are going to use PKI tokens are comfortable with out revocation. 
  Kerberos service tickets have the same limitation, and Kerberos has been in 
 deployment that way for close to 25 years.
 
 Assuming that PKI ticket lifespan is short enough,  revocation should not be 
 required.  What will be tricky is to balance the needs of long lived tokens 
 (delayed operations, long running operations) against the needs for 
 reasonable token timeout.
 
 PKI Token revocation would look like CRLs in the Certificate world.  While 
 they are used, they are clunky.  Each time a token gets revoked, a blast 
 message would have to go out to all registered parties informing them of the 
 revocation.  Keystone does not yet have a message queue interface, so doing 
 that is prohibitive in the first implementation.
 
 Note that users can get disabled, and token chaining will no longer work:  
 you won't be able to use a token to get a new token from Keystone.
 
 
 
 Thanks,
 
 
 Maru
 
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/02/2012 01:56 AM, Joseph Heck wrote:

Hey Maru,

I think you're putting too many words in Adam's mouth here. First, 
Adam didnt assert is wasnt valuable, useful, or nessecary - simply 
that it wasnt in the first cut and not in the list that we agreed was 
critically essential to an initial implementation. As you noted, its a 
complex and somewhat tricky issue to get right.


There's always room for more participation to correct the flaws you 
see in the existing system - the beauty of open source. I would love 
to see continued work on the signing and revocation work to drive in 
these features that mean so much to you.  I'd be happy to open a 
blueprint if you can stand behind it, define what you think it 
required, and commit to the work to implement that revocation mechanism.


Implying negative emotions on Adam's part when he's been one driving 
the implementation and doing the work is simply inappropriate. Please 
consider the blueprint route, definition of a viable solution, and 
work to make it happen instead of name calling and asserting how the 
developers doing the work are screwing up.


Thanks for the support Joe.  I don't think Maru was being too harsh.  So 
long as he doesn't start calling me Sir as that is always an followed 
by you are making a scene.


- joe

On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com 
mailto:mne...@internap.com wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware 
that what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the 
potential security hole that a lack of revocation represents, but I 
suppose a 'short enough' token lifespan could minimize that hole. 
 But how short a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to 
an account if their access cannot be revoked, by anyone, at all?


I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.
I think you have valid concerns.  Realistically, I think 5 minutes is 
too short,  and for many operations, 24 hours would be the right 
granularity.  However,  The timespan of the tokens is configurable, and 
the policy of the deploying organization should dictate.


Remember, this is the administrative interface for virtual machines, and 
not the applications running in them.  Removing someone from access to 
creating/rebooting/destroying virtual machines is a much more deliberate 
decision than banning someone from a public forum.  Aside from someone 
getting fired, I am not sure how essential it is that we have rapid 
revocation of tokens.  And firing someone is usually part of the whole 
escort from the building  routine.


So, let me put the onus on you:  make the argument for rapid revocation 
of tokens.





Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Rouault, Jason (Cloud Services)]

This was a concern for HP as well.  This is one of the reasons we were happy
to see that signed tokens are currently a deployment option.  So, you can
continue to use the unsigned model until such a time that revocation can be
put into place for the token signing model.

 

Jason

 

From: openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: [Openstack] Keystone: 'PKI Signed Tokens' lack support for
revocation

 

I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation.  I tried to raise this issue on the bug
report:

 

https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

 

And the review:

 

https://review.openstack.org/#/c/7754/

 

I'm curious as to whether anybody shares my concern and if there is a
specific reason why nobody responded to my question as to why revocation is
not required for this new token scheme.   Anybody?

 

Thanks,

 

 

Maru

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 11:05 PM, Maru Newby wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware that 
what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the potential 
security hole that a lack of revocation represents, but I suppose a 
'short enough' token lifespan could minimize that hole.  But how short 
a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to an 
account if their access cannot be revoked, by anyone, at all?



I realize that I had been thinking about the revocation list as 
something that needs to be broadcast.  This is certainly not the case.


A much better approach would be for the Keystone server to have a list 
of revoked tokens exposed in an URL.  Then, as service like Glance or 
Nova can query the Revocation list on a simple schedule.  The time out 
would be configurable, of course.


There is a question about what to do if the keystone server cannot be 
reached during that interval.  Since the current behavior is for 
authentication to fail,  I suppose we would continue doing that,  but 
also wait a random amount of time and then requery the Keystone server.


In the future, I would like to make the set of Keystone servers a 
configurable list, and the policy for revocation checking should be able 
to vary per server:  some Keystone servers in a federated approach might 
not be accessible.  In those cases,  it might be necessary for one 
Keystone server to proxy the revocation list for another server.


Let me know if this scheme makes sense to you.  If so, we can write it 
up as an additional blueprint.  It should not be that hard to implement.





I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.


Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25 years.


Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against 
the needs for reasonable token timeout.


PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets 
revoked, a blast message would have to go out to all registered 
parties informing them of the revocation.  Keystone does not yet have 
a message queue interface, so doing that is prohibitive in the first 
implementation.


Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.





Thanks,


Maru




___
Mailing list:https://launchpad.net/~openstack
Post to :openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack
More help   

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Maru Newby]

Hi Adam,

I was thinking along the same lines - the revocation list could be accessed via 
a simple url.  It wouldn't even have to be hosted by Keystone, necessarily.  
For larger clusters where performance might become an issue, what about 
generating to a static file as needed that is made available via any of the 
usual web server suspects?

As to whether the keystone server cannot be reached, that could be 
configurable.  Some deployments might prefer permissive failure, others 
restrictive failure.  I can see the case for both options.

+1, also, to the set of Keystone servers being a configurable list, with 
differential policies for revocation checking.

As to a justification for revocation, my use-case is more Swift (and integrated 
CDN) than Nova.  A rogue user being able to manipulate VMs is one thing, but 
being able to expose potentially private data to a really wide audience is 
another.  I would rate the damage potential of an object storage compromise as 
easily as great as application-level compromise.

I would be happy to participate in creating and implementing these ideas.  How 
can I help?

Thanks,


Maru 

On 2012-08-02, at 10:24 PM, Adam Young wrote:

 On 08/01/2012 11:05 PM, Maru Newby wrote:
 
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what 
 I perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is 
 clearly too long.  Something on the order of 5 minutes would be ideal, but 
 then ticket issuance could become the bottleneck.  Validity that's much 
 longer could be a real problem, though.  Maybe not at the cloud 
 administration level, but for a given project I can imagine someone being 
 fired and their access being revoked.  How long is an acceptable period for 
 that ticket to still be valid?  How much damage could be done by someone who 
 should no longer have access to an account if their access cannot be 
 revoked, by anyone, at all?
 
 
 I realize that I had been thinking about the revocation list as something 
 that needs to be broadcast.  This is certainly not the case.
 
 A much better approach would be for the Keystone server to have a list of 
 revoked tokens exposed in an URL.  Then, as service like Glance or Nova can 
 query the Revocation list on a simple schedule.  The time out would be 
 configurable, of course.
 
 There is a question about what to do if the keystone server cannot be reached 
 during that interval.  Since the current behavior is for authentication to 
 fail,  I suppose we would continue doing that,  but also wait a random amount 
 of time and then requery the Keystone server.
 
 In the future, I would like to make the set of Keystone servers a 
 configurable list, and the policy for revocation checking should be able to 
 vary per server:  some Keystone servers in a federated approach might not be 
 accessible.  In those cases,  it might be necessary for one Keystone server 
 to proxy the revocation list for another server.
 
 Let me know if this scheme makes sense to you.  If so, we can write it up as 
 an additional blueprint.  It should not be that hard to implement.
 
 
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation 
 support became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone 
 without support for token revocation.  I tried to raise this issue on the 
 bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation 
 is not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra 
 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Maru Newby]

Hi Adam,

I apologize if I came across as disrespectful.  I was becoming frustrated that 
what I perceived as a valid concern was seemingly being ignored, but I 
recognize that there is no excuse for addressing you in a manner that I would 
not myself wish to be treated.  I will do better going forward.

Thanks,


Maru

ps: Thank you for the reminder, Joe!

On 2012-08-02, at 1:56 AM, Joseph Heck wrote:

 Hey Maru,
 
 I think you're putting too many words in Adam's mouth here. First, Adam didnt 
 assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the 
 first cut and not in the list that we agreed was critically essential to an 
 initial implementation. As you noted, its a complex and somewhat tricky issue 
 to get right.
 
 There's always room for more participation to correct the flaws you see in 
 the existing system - the beauty of open source. I would love to see 
 continued work on the signing and revocation work to drive in these features 
 that mean so much to you.  I'd be happy to open a blueprint if you can stand 
 behind it, define what you think it required, and commit to the work to 
 implement that revocation mechanism.
 
 Implying negative emotions on Adam's part when he's been one driving the 
 implementation and doing the work is simply inappropriate. Please consider 
 the blueprint route, definition of a viable solution, and work to make it 
 happen instead of name calling and asserting how the developers doing the 
 work are screwing up.
 
 - joe
 
 On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote:
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what 
 I perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is 
 clearly too long.  Something on the order of 5 minutes would be ideal, but 
 then ticket issuance could become the bottleneck.  Validity that's much 
 longer could be a real problem, though.  Maybe not at the cloud 
 administration level, but for a given project I can imagine someone being 
 fired and their access being revoked.  How long is an acceptable period for 
 that ticket to still be valid?  How much damage could be done by someone who 
 should no longer have access to an account if their access cannot be 
 revoked, by anyone, at all?
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation 
 support became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone 
 without support for token revocation.  I tried to raise this issue on the 
 bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation 
 is not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra 
 checking.  Revocation is a policy decision, and the assumption is that 
 people that are going to use PKI tokens are comfortable with out 
 revocation.  Kerberos service tickets have the same limitation, and 
 Kerberos has been in deployment that way for close to 25 years.
 
 Assuming that PKI ticket lifespan is short enough,  revocation should not 
 be required.  What will be tricky is to balance the needs of long lived 
 tokens (delayed operations, long running operations) against the needs for 
 reasonable token timeout.
 
 PKI Token revocation would look like CRLs in the Certificate world.  While 
 they are used, they are clunky.  Each time a token gets revoked, a blast 
 message would have to go out to all registered parties informing them of 
 the revocation.  Keystone does not yet have a message queue interface, so 
 doing that is 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Nathanael Burton]

Adam,

I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.

Nate
On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com wrote:

  On 08/01/2012 11:05 PM, Maru Newby wrote:

 Hi Adam,

  I apologize if my questions were answered before.  I wasn't aware that
 what I perceive as a very serious security concern was openly discussed.
  The arguments against revocation support, as you've described them, seem
 to be:

   - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?

  I'm not sure why either of these arguments would justify the potential
 security hole that a lack of revocation represents, but I suppose a 'short
 enough' token lifespan could minimize that hole.  But how short a span are
 you suggesting as being acceptable?

  The delay between when a user's access permissions change (whether
 roles, password or even account deactivation) and when the ticket reflects
 that change is my concern.  The default in Keystone has been 24h, which is
 clearly too long.  Something on the order of 5 minutes would be ideal, but
 then ticket issuance could become the bottleneck.  Validity that's much
 longer could be a real problem, though.  Maybe not at the cloud
 administration level, but for a given project I can imagine someone being
 fired and their access being revoked.  How long is an acceptable period for
 that ticket to still be valid?  How much damage could be done by someone
 who should no longer have access to an account if their access cannot be
 revoked, by anyone, at all?



 I realize that I had been thinking about the revocation list as something
 that needs to be broadcast.  This is certainly not the case.

 A much better approach would be for the Keystone server to have a list of
 revoked tokens exposed in an URL.  Then, as service like Glance or Nova can
 query the Revocation list on a simple schedule.  The time out would be
 configurable, of course.

 There is a question about what to do if the keystone server cannot be
 reached during that interval.  Since the current behavior is for
 authentication to fail,  I suppose we would continue doing that,  but also
 wait a random amount of time and then requery the Keystone server.

 In the future, I would like to make the set of Keystone servers a
 configurable list, and the policy for revocation checking should be able to
 vary per server:  some Keystone servers in a federated approach might not
 be accessible.  In those cases,  it might be necessary for one Keystone
 server to proxy the revocation list for another server.

 Let me know if this scheme makes sense to you.  If so, we can write it up
 as an additional blueprint.  It should not be that hard to implement.



  I'm hearing that you, as the implementer of this feature, don't consider
 the lack of revocation to be an issue.  What am I missing?  Is support for
 revocation so repugnant that the potential security hole is preferable?  I
 can see that from a developer's perspective, but I don't understand why
 someone deploying Keystone wouldn't avoid PKI tokens until revocation
 support became available.

  Thanks,


  Maru



  On 2012-08-01, at 9:47 PM, Adam Young wrote:

  On 08/01/2012 09:19 PM, Maru Newby wrote:

 I see that support for PKI Signed Tokens has been added to Keystone
 without support for token revocation.  I tried to raise this issue on the
 bug report:

  https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

  And the review:

  https://review.openstack.org/#/c/7754/

  I'm curious as to whether anybody shares my concern and if there is a
 specific reason why nobody responded to my question as to why revocation is
 not required for this new token scheme.   Anybody?


 It was discussed back when I wrote the Blueprint.  While it is possible to
 do revocations with PKI,  it is expensive and requires a lot of extra
 checking.  Revocation is a policy decision, and the assumption is that
 people that are going to use PKI tokens are comfortable with out
 revocation.  Kerberos service tickets have the same limitation, and
 Kerberos has been in deployment that way for close to 25 years.

 Assuming that PKI ticket lifespan is short enough,  revocation should not
 be required.  What will be tricky is to balance the needs of long lived
 tokens (delayed operations, long running operations) against the needs for
 reasonable token timeout.

 PKI Token revocation would look like CRLs in the Certificate world.  While
 they are used, they are clunky.  Each time a token gets revoked, a blast
 message would have to go out to all registered parties informing them of
 the revocation.  Keystone does not yet have a message queue interface, so
 doing that is prohibitive in the first implementation.

 Note that users can get disabled, and token chaining will no longer work:
 you won't be able to use a 

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Adam Young]

On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue on 
the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is a 
specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is possible 
to do revocations with PKI,  it is expensive and requires a lot of extra 
checking.  Revocation is a policy decision, and the assumption is that 
people that are going to use PKI tokens are comfortable with out 
revocation.  Kerberos service tickets have the same limitation, and 
Kerberos has been in deployment that way for close to 25 years.


Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against the 
needs for reasonable token timeout.


PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets revoked, a 
blast message would have to go out to all registered parties informing 
them of the revocation.  Keystone does not yet have a message queue 
interface, so doing that is prohibitive in the first implementation.


Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.





Thanks,


Maru




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

[Maru Newby]

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware that what I 
perceive as a very serious security concern was openly discussed.  The 
arguments against revocation support, as you've described them, seem to be:

 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the potential security 
hole that a lack of revocation represents, but I suppose a 'short enough' token 
lifespan could minimize that hole.  But how short a span are you suggesting as 
being acceptable?

The delay between when a user's access permissions change (whether roles, 
password or even account deactivation) and when the ticket reflects that change 
is my concern.  The default in Keystone has been 24h, which is clearly too 
long.  Something on the order of 5 minutes would be ideal, but then ticket 
issuance could become the bottleneck.  Validity that's much longer could be a 
real problem, though.  Maybe not at the cloud administration level, but for a 
given project I can imagine someone being fired and their access being revoked. 
 How long is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to an account 
if their access cannot be revoked, by anyone, at all?

I'm hearing that you, as the implementer of this feature, don't consider the 
lack of revocation to be an issue.  What am I missing?  Is support for 
revocation so repugnant that the potential security hole is preferable?  I can 
see that from a developer's perspective, but I don't understand why someone 
deploying Keystone wouldn't avoid PKI tokens until revocation support became 
available.

Thanks,


Maru 
 


On 2012-08-01, at 9:47 PM, Adam Young wrote:

 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone without 
 support for token revocation.  I tried to raise this issue on the bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation is 
 not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to do 
 revocations with PKI,  it is expensive and requires a lot of extra checking.  
 Revocation is a policy decision, and the assumption is that people that are 
 going to use PKI tokens are comfortable with out revocation.  Kerberos 
 service tickets have the same limitation, and Kerberos has been in deployment 
 that way for close to 25 years.
 
 Assuming that PKI ticket lifespan is short enough,  revocation should not be 
 required.  What will be tricky is to balance the needs of long lived tokens 
 (delayed operations, long running operations) against the needs for 
 reasonable token timeout.
 
 PKI Token revocation would look like CRLs in the Certificate world.  While 
 they are used, they are clunky.  Each time a token gets revoked, a blast 
 message would have to go out to all registered parties informing them of the 
 revocation.  Keystone does not yet have a message queue interface, so doing 
 that is prohibitive in the first implementation.
 
 Note that users can get disabled, and token chaining will no longer work:  
 you won't be able to use a token to get a new token from Keystone.
 
 
 
 Thanks,
 
 
 Maru
 
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] PKI

[Tim Bell]

Fully agreed. Academic and Research sites have extensive X.509
infrastructure that we would not wish to duplicate.

 

Are you only looking at user certificates or are host certificates in the
scope too ?

 

Tim

 

From: openstack-bounces+tim.bell=cern...@lists.launchpad.net
[mailto:openstack-bounces+tim.bell=cern...@lists.launchpad.net] On Behalf Of
Adam Young
Sent: 16 May 2012 03:10
To: openstack@lists.launchpad.net
Subject: Re: [Openstack] [Keystone] PKI

 

Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces.  All we will need to do is to use a signing key to sign a
document.  So EJBCA or Dogtag will work equally as well.  If people already
have a CA infrastructure, they should be able to leverage that, too.


On 05/15/2012 04:47 PM, Thor Wolpert wrote: 

If you're open to levarging other OSS projects,
http://www.ejbca.org/architecture.html us a great one to look at, assuming
you need a PKI implementation available. 

 

I believe it is at least worth a look.

On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua razique.mahr...@gmail.com
wrote:

great topic :)





 mailto:he...@mac.com Joseph Heck

15 mai 2012 21:06

Coming out of the Keystone meeting from today
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-me
eting.2012-05-15-18.02.html), I thought it worth mentioning that adam young
has been doing some tremendous lifting in terms of looking at adding in PKI
support to Keystone. The writeup and details are on the OpenStack wiki at
http://wiki.openstack.org/PKI

I rather suspect there's a lot of interest in this topic, so I wanted to
make sure the broader community knew about the effort, what we were
thinking, and were we are. 

If you're interested in discussing, the keystone meeting is on Tuesday
mornings at 18:00 UTC

-joe

___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack 
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack 
More help : https://help.launchpad.net/ListHelp

 

-- 
Nuage  Co - Razique Mahroua 
razique.mahr...@gmail.com

  


___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack 
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack 
More help   : https://help.launchpad.net/ListHelp

 






___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

 



smime.p7s
Description: S/MIME cryptographic signature
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] PKI

[Razique Mahroua]

great topic :) 	   
   	Joseph Heck  
  15 mai 2012 21:06Coming out of the Keystone
 meeting from today 
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
 I thought it worth mentioning that adam young has been doing some 
tremendous lifting in terms of looking at adding in PKI support to 
Keystone. The writeup and details are on the OpenStack wiki at 
http://wiki.openstack.org/PKII rather suspect there's a lot of 
interest in this topic, so I wanted to make sure the broader community 
knew about the effort, what we were thinking, and were we are. If
 you're interested in discussing, the keystone meeting is on Tuesday 
mornings at 18:00 UTC-joe___Mailing
 list: https://launchpad.net/~openstackPost to : 
openstack@lists.launchpad.netUnsubscribe : 
https://launchpad.net/~openstackMore help   : 
https://help.launchpad.net/ListHelp-- Nuage  Co - Razique Mahroua 
razique.mahr...@gmail.com















___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] PKI

[Thor Wolpert]

If you're open to levarging other OSS projects,
http://www.ejbca.org/architecture.html us a great one to look at, assuming
you need a PKI implementation available.

I believe it is at least worth a look.

On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua
razique.mahr...@gmail.comwrote:

 great topic :)


  Joseph Heck he...@mac.com
  15 mai 2012 21:06
 Coming out of the Keystone meeting from today (
 http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
 I thought it worth mentioning that adam young has been doing some
 tremendous lifting in terms of looking at adding in PKI support to
 Keystone. The writeup and details are on the OpenStack wiki at
 http://wiki.openstack.org/PKI

 I rather suspect there's a lot of interest in this topic, so I wanted to
 make sure the broader community knew about the effort, what we were
 thinking, and were we are.

 If you're interested in discussing, the keystone meeting is on Tuesday
 mornings at 18:00 UTC

 -joe

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help : https://help.launchpad.net/ListHelp


 --
 Nuage  Co - Razique Mahroua
 razique.mahr...@gmail.com




 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] PKI

[Adam Young]

Well, the PKI pieces are the same regardless of the CA and certificate 
issuing pieces.  All we will need to do is to use a signing key to sign 
a document.  So EJBCA or Dogtag will work equally as well.  If people 
already have a CA infrastructure, they should be able to leverage that, too.



On 05/15/2012 04:47 PM, Thor Wolpert wrote:
If you're open to levarging other OSS projects, 
http://www.ejbca.org/architecture.html us a great one to look at, 
assuming you need a PKI implementation available.


I believe it is at least worth a look.

On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua 
razique.mahr...@gmail.com mailto:razique.mahr...@gmail.com wrote:


great topic :)



Joseph Heck mailto:he...@mac.com
15 mai 2012 21:06
Coming out of the Keystone meeting from today

(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
I thought it worth mentioning that adam young has been doing some
tremendous lifting in terms of looking at adding in PKI support
to Keystone. The writeup and details are on the OpenStack wiki at
http://wiki.openstack.org/PKI

I rather suspect there's a lot of interest in this topic, so I
wanted to make sure the broader community knew about the effort,
what we were thinking, and were we are.

If you're interested in discussing, the keystone meeting is on
Tuesday mornings at 18:00 UTC

-joe

___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help : https://help.launchpad.net/ListHelp


-- 
Nuage  Co - Razique Mahroua

razique.mahr...@gmail.com mailto:razique.mahr...@gmail.com




___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help   : https://help.launchpad.net/ListHelp




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] PKI

[Haneef ALI]

Hi Adam,

Can you please clarify the following  in PKI blueprint?


1) Do you assume that roles won't be changed after getToken and before
validateToken?

!--

if the token contains just the following data :

   - {username: admiyo,tenant: Fedora,expires: 2359:05May2012, roles:
   [admin,editor]}

This message is then encrypted with Keystones private key. Any service that
has Keystones public key can decrypt the message. Since it is decrypted
with the public key, it had to be encrypted by Keystone, and is therefore
valid. The Keystone Certificate only has to be distributed once to each
service, and can be fetched on demand.

--

What is keystone private key?  Do you mean user private key?
!--When a user is created in Keystone, they will be given a
one-time-password that they will then use to establish a key-pair. Only the
Public Key will be stored on the Keystone server, the Private key will only
be stored on the end users system. The public key will be signed by the
certificate authority (X509) and then stored in the Keystone system. From
this point on, when authenticating to Keystone, the user will use the
client certificate.
--

1) Why do we need to store users client cert in keystone system?  BTW what
do you mean by keystone system? Is it  keystone server?  or  any system
like swift/nova which uses keystone to authenticate

Thanks

On Tue, May 15, 2012 at 6:09 PM, Adam Young ayo...@redhat.com wrote:

  Well, the PKI pieces are the same regardless of the CA and certificate
 issuing pieces.  All we will need to do is to use a signing key to sign a
 document.  So EJBCA or Dogtag will work equally as well.  If people already
 have a CA infrastructure, they should be able to leverage that, too.



 On 05/15/2012 04:47 PM, Thor Wolpert wrote:

 If you're open to levarging other OSS projects,
 http://www.ejbca.org/architecture.html us a great one to look at,
 assuming you need a PKI implementation available.

  I believe it is at least worth a look.

 On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua 
 razique.mahr...@gmail.com wrote:

  great topic :)


Joseph Heck he...@mac.com
  15 mai 2012 21:06
   Coming out of the Keystone meeting from today (
 http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
 I thought it worth mentioning that adam young has been doing some
 tremendous lifting in terms of looking at adding in PKI support to
 Keystone. The writeup and details are on the OpenStack wiki at
 http://wiki.openstack.org/PKI

 I rather suspect there's a lot of interest in this topic, so I wanted to
 make sure the broader community knew about the effort, what we were
 thinking, and were we are.

 If you're interested in discussing, the keystone meeting is on Tuesday
 mornings at 18:00 UTC

 -joe

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help : https://help.launchpad.net/ListHelp


 --
 Nuage  Co - Razique Mahroua
 razique.mahr...@gmail.com




 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp




 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp