On 06/17/2013 12:27 AM, Sam Morrison wrote:
I'm currently looking into Grizzly and have been having some issues getting PKI
tokens to work.
If I have memcache as the token backend keystone issues uuid based tokens, if I
have sql as the backend then it issues PKI tokens.
Does this mean you
On 18/06/2013, at 1:18 AM, Adam Young ayo...@redhat.com wrote:
On 06/17/2013 12:27 AM, Sam Morrison wrote:
I'm currently looking into Grizzly and have been having some issues getting
PKI tokens to work.
If I have memcache as the token backend keystone issues uuid based tokens,
if I have
I'm currently looking into Grizzly and have been having some issues getting PKI
tokens to work.
If I have memcache as the token backend keystone issues uuid based tokens, if I
have sql as the backend then it issues PKI tokens.
Does this mean you can't use memcache backend if you want to use
Hi,
I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented (https://blueprints.launchpad.net/keystone/+spec/pki) and
I've browsed some of the
On 09/04/2012 09:36 AM, boden wrote:
Hi,
I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented
Hi Adam,
The blueprint as revised to address Joe's comments looks good to me - nice
work. I especially like how the middleware is intended to cache the revocation
list for a configurable amount of time - it mirrors how token caching already
works.
Cheers,
Maru
On 2012-08-07, at 10:09 AM,
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
On 08/02/2012 10:54 PM, Nathanael Burton wrote:
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Yes, I don't really have new idea here,
Hey Maru,
I think you're putting too many words in Adam's mouth here. First, Adam didnt
assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the
first cut and not in the list that we agreed was critically essential to an
initial implementation. As you noted, its a complex
On 08/02/2012 01:56 AM, Joseph Heck wrote:
Hey Maru,
I think you're putting too many words in Adam's mouth here. First,
Adam didnt assert is wasnt valuable, useful, or nessecary - simply
that it wasnt in the first cut and not in the list that we agreed was
critically essential to an initial
: openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: [Openstack] Keystone: 'PKI Signed Tokens
On 08/01/2012 11:05 PM, Maru Newby wrote:
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that
what I perceive as a very serious security concern was openly
discussed. The arguments against revocation support, as you've
described them, seem to be:
- it's
Hi Adam,
I was thinking along the same lines - the revocation list could be accessed via
a simple url. It wouldn't even have to be hosted by Keystone, necessarily.
For larger clusters where performance might become an issue, what about
generating to a static file as needed that is made
Hi Adam,
I apologize if I came across as disrespectful. I was becoming frustrated that
what I perceived as a valid concern was seemingly being ignored, but I
recognize that there is no excuse for addressing you in a manner that I would
not myself wish to be treated. I will do better going
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Nate
On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com wrote:
On 08/01/2012 11:05 PM, Maru
I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation. I tried to raise this issue on the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
https://review.openstack.org/#/c/7754/
I'm curious as to
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that what I
perceive as a very serious security concern was openly discussed. The
arguments against revocation support, as you've described them, seem to be:
- it's complicated/messy/expensive to implement and/or
-bounces+tim.bell=cern...@lists.launchpad.net] On Behalf Of
Adam Young
Sent: 16 May 2012 03:10
To: openstack@lists.launchpad.net
Subject: Re: [Openstack] [Keystone] PKI
Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces. All we will need to do is to use a signing
Coming out of the Keystone meeting from today
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
I thought it worth mentioning that adam young has been doing some tremendous
lifting in terms of looking at adding in PKI support to Keystone.
great topic :)
Joseph Heck
15 mai 2012 21:06Coming out of the Keystone
meeting from today
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
I thought it worth mentioning that adam young has been doing some
tremendous
If you're open to levarging other OSS projects,
http://www.ejbca.org/architecture.html us a great one to look at, assuming
you need a PKI implementation available.
I believe it is at least worth a look.
On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua
razique.mahr...@gmail.comwrote:
great
Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces. All we will need to do is to use a signing key to sign
a document. So EJBCA or Dogtag will work equally as well. If people
already have a CA infrastructure, they should be able to leverage that, too.
On
Hi Adam,
Can you please clarify the following in PKI blueprint?
1) Do you assume that roles won't be changed after getToken and before
validateToken?
!--
if the token contains just the following data :
- {username: admiyo,tenant: Fedora,expires: 2359:05May2012, roles:
[admin,editor]}
24 matches
Mail list logo
