subject:"Re\: \[openstack\-dev\] \[Security\] Introducing Killick PKI"

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-12 Thread Clark, Robert Graham

> -Original Message-
> From: Adam Young [mailto:ayo...@redhat.com]
> Sent: 12 October 2015 02:24
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] [Security] Introducing Killick PKI
> 
> On 10/11/2015 06:50 PM, Robert Collins wrote:
> > On 9 October 2015 at 06:47, Adam Young <ayo...@redhat.com> wrote:
> >> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
> >>> Hi All,
> >>>
> >>> At a previous OpenStack Security Project IRC meeting, we briefly discussed
> >>> a lightweight traditional PKI using the Anchor validation functionality, 
> >>> for
> >>> use in internal deployments, as an alternative to things like MS ADCS. To
> >>> take this further, I have drafted a spec, which is in the security-specs
> >>> repo, and would appreciate feedback:
> >>>
> >>> https://review.openstack.org/#/c/231955/
> >>>
> >>> Regards
> >>>
> >>> Doug
> >> How is this better than Dogtag/FreeIPA?
> > DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
> > specifically calls out the desire to have a low-admin-overhead
> > solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
> > environment? I see that the dogtag-pki packages in Debian are up to
> > date - perhaps more discussion w/ops is needed?
> 
> Tomcat is trivial to deploy; it is in all the major distributions
> already. Dogtag is slightly more complex because it does things right
> WRT security hardening the Tomcat instance.  But the process is
> automated as part of the Dogtag code base.
> 
> A better bet is using Dogtag as installed with FreeIPA. It is supported
> in both Debian based and RPM based distributions.  The dev team is
> primarily Red Hat, with an Ubuntu packager dealing with the headaches of
> getting it installed there.  There is someone working on SuSE already as
> well.  FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.
> 
> We have a demo of Using Kerberos to authenticate and encrypt the
> messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all
> of the Web services.  I'll be one of the people demoing it at the Red
> Hat booth at Tokyo if you want to see it and ask questions directly.
> 
> For Self Signed certificates, we can use certmonger and the self-signed
> backend; we should be using Certmonger as the cert management client no
> matter what.  There was a Certmonger- Barbican plugin underway, but I do
> not know the status of it.
> 
> 
> Let's not reinvent this; the security and cryptography focused people on
> OpenStack are already spread thin. Lets focus on reusing pre-existing
> solutions.
> 
> 
> 

There's very little out there in terms of easy to use, deploy and scale PKI 
systems. ADCS is very tightly coupled to Windows, EJBCA is clunky, pyCA isn't 
supported anymore afaik and my personal experience with Dogtag (YMMV of course) 
is that it was difficult to setup and maintain. Now that was some time ago, 
when the available documentation didn't match with the shipping version and 
Ubuntu support wasn't a thing so I'm sure it's moved on now and it's possibly 
great - but - that's no reason to not have a crack at making something better. 
(For some personal interpretation of "better").

Reinvention can be good, after all, if it wasn't OpenStack probably wouldn't be 
a thing.

-Rob

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-11 Thread Robert Collins

On 9 October 2015 at 06:47, Adam Young  wrote:
> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
>>
>> Hi All,
>>
>> At a previous OpenStack Security Project IRC meeting, we briefly discussed
>> a lightweight traditional PKI using the Anchor validation functionality, for
>> use in internal deployments, as an alternative to things like MS ADCS. To
>> take this further, I have drafted a spec, which is in the security-specs
>> repo, and would appreciate feedback:
>>
>> https://review.openstack.org/#/c/231955/
>>
>> Regards
>>
>> Doug
>
> How is this better than Dogtag/FreeIPA?

DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
specifically calls out the desire to have a low-admin-overhead
solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
environment? I see that the dogtag-pki packages in Debian are up to
date - perhaps more discussion w/ops is needed?

-Rob

-- 
Robert Collins 
Distinguished Technologist
HP Converged Cloud

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-11 Thread Adam Young


On 10/11/2015 06:50 PM, Robert Collins wrote:

On 9 October 2015 at 06:47, Adam Young  wrote:

On 10/08/2015 12:50 PM, Chivers, Doug wrote:

Hi All,

At a previous OpenStack Security Project IRC meeting, we briefly discussed
a lightweight traditional PKI using the Anchor validation functionality, for
use in internal deployments, as an alternative to things like MS ADCS. To
take this further, I have drafted a spec, which is in the security-specs
repo, and would appreciate feedback:

https://review.openstack.org/#/c/231955/

Regards

Doug

How is this better than Dogtag/FreeIPA?

DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
specifically calls out the desire to have a low-admin-overhead
solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
environment? I see that the dogtag-pki packages in Debian are up to
date - perhaps more discussion w/ops is needed?


Tomcat is trivial to deploy; it is in all the major distributions 
already. Dogtag is slightly more complex because it does things right 
WRT security hardening the Tomcat instance.  But the process is 
automated as part of the Dogtag code base.


A better bet is using Dogtag as installed with FreeIPA. It is supported 
in both Debian based and RPM based distributions.  The dev team is 
primarily Red Hat, with an Ubuntu packager dealing with the headaches of 
getting it installed there.  There is someone working on SuSE already as 
well.  FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.


We have a demo of Using Kerberos to authenticate and encrypt the 
messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all 
of the Web services.  I'll be one of the people demoing it at the Red 
Hat booth at Tokyo if you want to see it and ask questions directly.


For Self Signed certificates, we can use certmonger and the self-signed 
backend; we should be using Certmonger as the cert management client no 
matter what.  There was a Certmonger- Barbican plugin underway, but I do 
not know the status of it.



Let's not reinvent this; the security and cryptography focused people on 
OpenStack are already spread thin. Lets focus on reusing pre-existing 
solutions.






-Rob




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-08 Thread Adam Young


On 10/08/2015 12:50 PM, Chivers, Doug wrote:

Hi All,

At a previous OpenStack Security Project IRC meeting, we briefly discussed a 
lightweight traditional PKI using the Anchor validation functionality, for use 
in internal deployments, as an alternative to things like MS ADCS. To take this 
further, I have drafted a spec, which is in the security-specs repo, and would 
appreciate feedback:

https://review.openstack.org/#/c/231955/

Regards

Doug

How is this better than Dogtag/FreeIPA?




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-08 Thread Chivers, Doug

Very lightweight, automatic certificate security policy enforcement. 

Doug

> On 8 Oct 2015, at 18:48, Adam Young  wrote:
> 
>> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
>> Hi All,
>> 
>> At a previous OpenStack Security Project IRC meeting, we briefly discussed a 
>> lightweight traditional PKI using the Anchor validation functionality, for 
>> use in internal deployments, as an alternative to things like MS ADCS. To 
>> take this further, I have drafted a spec, which is in the security-specs 
>> repo, and would appreciate feedback:
>> 
>> https://review.openstack.org/#/c/231955/
>> 
>> Regards
>> 
>> Doug
> How is this better than Dogtag/FreeIPA?
> 
> 
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Security] Introducing Killick PKI

Re: [openstack-dev] [Security] Introducing Killick PKI

Re: [openstack-dev] [Security] Introducing Killick PKI

Re: [openstack-dev] [Security] Introducing Killick PKI

Re: [openstack-dev] [Security] Introducing Killick PKI

5 matches

Site Navigation

Mail list logo

Footer information