Hi Adam,
The blueprint as revised to address Joe's comments looks good to me - nice
work. I especially like how the middleware is intended to cache the revocation
list for a configurable amount of time - it mirrors how token caching already
works.
Cheers,
Maru
On 2012-08-07, at 10:09 AM,
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
On 08/02/2012 10:54 PM, Nathanael Burton wrote:
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Yes, I don't really have new idea here,
Hey Maru,
I think you're putting too many words in Adam's mouth here. First, Adam didnt
assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the
first cut and not in the list that we agreed was critically essential to an
initial implementation. As you noted, its a complex
On 08/02/2012 01:56 AM, Joseph Heck wrote:
Hey Maru,
I think you're putting too many words in Adam's mouth here. First,
Adam didnt assert is wasnt valuable, useful, or nessecary - simply
that it wasnt in the first cut and not in the list that we agreed was
critically essential to an initial
: openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: [Openstack] Keystone: 'PKI Signed Tokens
On 08/01/2012 11:05 PM, Maru Newby wrote:
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that
what I perceive as a very serious security concern was openly
discussed. The arguments against revocation support, as you've
described them, seem to be:
- it's
Hi Adam,
I was thinking along the same lines - the revocation list could be accessed via
a simple url. It wouldn't even have to be hosted by Keystone, necessarily.
For larger clusters where performance might become an issue, what about
generating to a static file as needed that is made
Hi Adam,
I apologize if I came across as disrespectful. I was becoming frustrated that
what I perceived as a valid concern was seemingly being ignored, but I
recognize that there is no excuse for addressing you in a manner that I would
not myself wish to be treated. I will do better going
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Nate
On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com wrote:
On 08/01/2012 11:05 PM, Maru
I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation. I tried to raise this issue on the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
https://review.openstack.org/#/c/7754/
I'm curious as to
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that what I
perceive as a very serious security concern was openly discussed. The
arguments against revocation support, as you've described them, seem to be:
- it's complicated/messy/expensive to implement and/or
13 matches
Mail list logo
