Re: [openstack-dev] [openstack-ansible][security] Improving SSL/TLS in OpenStack-Ansible

[Jesse Pretorius]

On 15 January 2016 at 14:18, Major Hayden  wrote:
>
>
> I've attended some of the OpenStack Security Mid-Cycle meeting this week
> and Robert Clark was kind enough to give me a deep dive on the Anchor
> project[1].  We had a good discussion around my original email thread[2] on
> improving SSL/TLS certificates within OpenStack-Ansible (OSA) and we went
> over my proposed spec[3] on the topic.
>
> Jean-Philippe Evrard helped me assemble an etherpad[4] this morning where
> we brainstormed some problem statements, user stories, and potential
> solutions for improving the certificate experience in OSA.  It seems like
> an ephemeral PKI solution, like Anchor, might provide a better certificate
> experience for users while also making the revocation and issuance process
> easier.
>
> I'd really like to get some feedback from the OpenStack community on our
> current brainstorming efforts.  We've enumerated a few use cases and user
> stories already, but we've probably missed some other important ones.  Feel
> free to stop by #openstack-ansible or join us in the etherpad.
>
> Thanks!
>
> [1] https://wiki.openstack.org/wiki/Security/Projects/Anchor
> [2]
> http://lists.openstack.org/pipermail/openstack-dev/2015-October/077877.html
> [3] https://review.openstack.org/#/c/243332/
> [4] https://etherpad.openstack.org/p/openstack-ansible-tls-improvement


Major - fantastic initiative.

One thing I'd like to say is to remind you that OSA is a toolbox of roles
and plays that a deployer can mix and match to suit the needs of the
specific environment.

This effectively means that we could easily curate or consume Ansible roles
which do any of the options outlined as possible solutions. What we care
about mostly is:

1 - consistency in the deployment of certificates and configuration of
services (consistency improves ease of use)
2 - simplicity of deployment - for example making it easy to apply one set
of certs across the board
3 - modularity - retain the ability to apply a different cert to any one
service, and the ability to have TLS/SSL on for some and not for others
4 - testing - we need to be able to gate test services individually, and in
end-to-end scenario's. Each possible scenario costs time, effort and gate
resources - so ideally we want to reduce our first class tested scenario's
but implement everything in such a way that we have a high level of
confidence that replacing one certificate generation method with another
will not change the result.

Thanks to both yourself and Jean-Philippe for taking this on!
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [openstack-ansible][security] Improving SSL/TLS in OpenStack-Ansible

[Major Hayden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hey folks,

I've attended some of the OpenStack Security Mid-Cycle meeting this week and 
Robert Clark was kind enough to give me a deep dive on the Anchor project[1].  
We had a good discussion around my original email thread[2] on improving 
SSL/TLS certificates within OpenStack-Ansible (OSA) and we went over my 
proposed spec[3] on the topic.

Jean-Philippe Evrard helped me assemble an etherpad[4] this morning where we 
brainstormed some problem statements, user stories, and potential solutions for 
improving the certificate experience in OSA.  It seems like an ephemeral PKI 
solution, like Anchor, might provide a better certificate experience for users 
while also making the revocation and issuance process easier.

I'd really like to get some feedback from the OpenStack community on our 
current brainstorming efforts.  We've enumerated a few use cases and user 
stories already, but we've probably missed some other important ones.  Feel 
free to stop by #openstack-ansible or join us in the etherpad.

Thanks!

[1] https://wiki.openstack.org/wiki/Security/Projects/Anchor
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-October/077877.html
[3] https://review.openstack.org/#/c/243332/
[4] https://etherpad.openstack.org/p/openstack-ansible-tls-improvement

- --
Major Hayden
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWmP+9AAoJEHNwUeDBAR+xZpwP/Ana9JFTEGRvZSzKQHv/jQeY
KjUFTjXIBqijVysPpv4VIus8A8wiZNIUk2GMFy6IAA3XrBuAMXaRYmTvJZ6/gUq+
k57o3buH2pxlLiYJkK4DToPqzgYx2pjfUzO3IXPrmDS82JQrKp7xLvGgICe0lgtS
VCSjEDfXFRQuaKg5Uk99hzoZsuRVsiIpAAd97Q2h603FNzZk3bqleF1czrSQS/0i
vjLYQoCcUKYTy9dvqZ39dhh4ACtsaccKv0tF72v0rEn7y6eTJZ6ssAC1257Duzii
UffLA+t++BZ0SMeIhVGoI7kE+KoItEdzPMJ9V4i+/HZBbUQPmFik01vlfGsrAH9r
uygSnZyDJ2+jIx/eoLTM9QRjf4rqXjBbTlz9EpwQoo0nhJWV/EBrUNoFmRFTItr+
MkNwRty1HK4g28yqUI/iHiVu+GOU91M6EDlGqBO/lvMyy8886SPakZaNLfB4Mo2K
+LwvwIrRHBgQNC12FkG7nwOXnetRoaxYvw0hu5Zbm/yhQiIDe5LFu0REKNiJb6KG
kDSaCmKWNixHiOwCWYecRpkGqIJJfIasQ8DYaUm905WsxaDwisBG4lu3TEJSHKs/
SmoLmMFNaN9PhiaVlLSeuj+FwN4arTDBxAahASQoaMSDMCy/HURTaQSt7+FXn+wD
eEVF2pRXgeRQl31B5Dpe
=ukvd
-END PGP SIGNATURE-

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev