On 7/2/13 12:43 PM, "Simo Sorce" wrote:
>On Tue, 2013-07-02 at 16:55 +, Tiwari, Arvind wrote:
>> Hi Simo,
>>
>> I am lost.
>>
>> Does Barbican is product came out of
>>https://wiki.openstack.org/wiki/KeyManager BP?
>
>Yes Barbican is an implementation of this Blueprint afaik.
Barbican is
> If you do not trust keystone to give you the right information you have
> already lost as keystone is used (afaik) to check for authorization
> anyway.
>
This is true.
> Can you be a little bit more explicit on the threat model you have in
> mind and what guarantees Barbican would give you tha
On Tue, Jul 2, 2013 at 8:12 AM, Bryan D. Payne wrote:
>
> > I don't understand. Users already have custody of their own keys. The
>> > only thing that Keystone/Nova has is the public key fingerprint [1], not
>> > the private key...
>>
>> You acatually have the public key, not just the fingerprin
Wrote this answer this morning, but Simo beat me to it. Answer below sent
for posterity.
TL;DR:
Jay - it seems like we are on the same page. Barbican can be helpful for
generation and storage (if needed) of various types of keying material.
However, if your use case is better served by storing
On Tue, 2013-07-02 at 16:55 +, Tiwari, Arvind wrote:
> Hi Simo,
>
> I am lost.
>
> Does Barbican is product came out of
> https://wiki.openstack.org/wiki/KeyManager BP?
Yes Barbican is an implementation of this Blueprint afaik.
> If yes, then why it is deviating from the BP which says Key
On Tue, 2013-07-02 at 08:12 -0700, Bryan D. Payne wrote:
>
> > I don't understand. Users already have custody of their own
> keys. The
> > only thing that Keystone/Nova has is the public key
> fingerprint [1], not
> > the private key...
>
>
to me a
subset of above BP)?
Arvind
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Tuesday, July 02, 2013 8:57 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Move keypair management out of Nova and into
Keystone?
On Tue, 2013-07-02 at 10
> +1 for using Barbican
>>
>
> Simo just got finished saying Barbican was *not* the correct place to put
> this information...
Understood. I'm disagreeing with Simo. And I'm agreeing with Jarret Raim.
-bryan
___
OpenStack-dev mailing list
OpenStack-
On 07/02/2013 11:12 AM, Bryan D. Payne wrote:
> I don't understand. Users already have custody of their own keys. The
> only thing that Keystone/Nova has is the public key fingerprint
[1], not
> the private key...
You acatually have the public key, not just the fingerprin
> > I don't understand. Users already have custody of their own keys. The
> > only thing that Keystone/Nova has is the public key fingerprint [1], not
> > the private key...
>
> You acatually have the public key, not just the fingerprint, but indeed
> I do not see why abrbican should be involved h
On 07/02/2013 10:56 AM, Simo Sorce wrote:
If 'access credentials' remain buried (as in they cannot never be
retrieved) in Keystone (or whatever IdM service it bridges to) then it
is probably the right place as it performs authentication anyway and
needs direct access to these credentials interna
On Tue, 2013-07-02 at 10:07 -0400, Jay Pipes wrote:
> On 07/02/2013 09:49 AM, Jarret Raim wrote:
> > I've spent some time thinking about how Barbican (Key Management) can help
> > in this workflow.
> >
> > We will have the ability to generate SSH keys (and a host of other key &
> > certificate type
On Monday, July 1, 2013, Jamie Lennox wrote:
> On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
> > Hi folks
> >
> > I'm interested in it too.
> > I'm working on VPN support for Neutron.
> > Public key authentication is one of feature milestone in the IPsec
> > implementation.
> > But I believ
On 07/02/2013 09:49 AM, Jarret Raim wrote:
I've spent some time thinking about how Barbican (Key Management) can help
in this workflow.
We will have the ability to generate SSH keys (and a host of other key &
certificate types). This is backed by cryptographically sound code and
we've spent some
I've spent some time thinking about how Barbican (Key Management) can help
in this workflow.
We will have the ability to generate SSH keys (and a host of other key &
certificate types). This is backed by cryptographically sound code and
we've spent some time figuring out the entropy problem and HS
On 07/02/2013 08:26 AM, Simo Sorce wrote:
On Mon, 2013-07-01 at 21:03 -0400, Jay Pipes wrote:
On 07/01/2013 07:49 PM, Jamie Lennox wrote:
On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
Hi folks
I'm interested in it too.
I'm working on VPN support for Neutron.
Public key authentication i
On Mon, 2013-07-01 at 21:03 -0400, Jay Pipes wrote:
> On 07/01/2013 07:49 PM, Jamie Lennox wrote:
> > On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
> >> Hi folks
> >>
> >> I'm interested in it too.
> >> I'm working on VPN support for Neutron.
> >> Public key authentication is one of feature
> -Original Message-
> From: Jay Pipes [mailto:jaypi...@gmail.com]
> Sent: 02 July 2013 02:04
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] Move keypair management out of Nova and into
> Keystone?
>
> On 07/01/2013 07:49 PM, Jamie Lennox wr
On 07/01/2013 07:49 PM, Jamie Lennox wrote:
On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
Hi folks
I'm interested in it too.
I'm working on VPN support for Neutron.
Public key authentication is one of feature milestone in the IPsec
implementation.
But I believe key-pair management api an
Hi Jamie
Thanks for sharing Keystone's v3 credential api.
( I didn't know this..)
Neutron VPN can use this api ! :)
Best
Nachi
2013/7/1 Jamie Lennox :
> On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
>> Hi folks
>>
>> I'm interested in it too.
>> I'm working on VPN support for Neutron.
>>
On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
> Hi folks
>
> I'm interested in it too.
> I'm working on VPN support for Neutron.
> Public key authentication is one of feature milestone in the IPsec
> implementation.
> But I believe key-pair management api and the implementation will be
> qu
Hi folks
I'm interested in it too.
I'm working on VPN support for Neutron.
Public key authentication is one of feature milestone in the IPsec
implementation.
But I believe key-pair management api and the implementation will be
quite similar in Key for IPsec and Nova.
so I'm +1 for moving key mana
Russell Bryant wrote:
> On 07/01/2013 01:10 PM, Jay Pipes wrote:
>> On 07/01/2013 12:23 PM, Mauro S M Rodrigues wrote:
>>> +1.. make sense to me, I always thought that was weird hehe
>>> Say the word and we will remove it from v3.
>>
>> Well, it's not weird, per-se... I mean I understand why it is
On 07/01/2013 01:10 PM, Jay Pipes wrote:
> On 07/01/2013 12:23 PM, Mauro S M Rodrigues wrote:
>> +1.. make sense to me, I always thought that was weird hehe
>> Say the word and we will remove it from v3.
>
> Well, it's not weird, per-se... I mean I understand why it is the way it
> is. Nova, of co
yes, of course...
On 07/01/2013 02:07 PM, Joe Gordon wrote:
We should not remove it from the v3 API until we know this will be
supported by keystone in Havana.
best,
Joe
sent on the go
On Jul 1, 2013 6:25 PM, "Mauro S M Rodrigues"
mailto:maur...@linux.vnet.ibm.com>> wrote:
+1.. make
On 07/01/2013 12:23 PM, Mauro S M Rodrigues wrote:
+1.. make sense to me, I always thought that was weird hehe
Say the word and we will remove it from v3.
Well, it's not weird, per-se... I mean I understand why it is the way it
is. Nova, of course, preceded Keystone.
But, it sounds like this
We should not remove it from the v3 API until we know this will be
supported by keystone in Havana.
best,
Joe
sent on the go
On Jul 1, 2013 6:25 PM, "Mauro S M Rodrigues"
wrote:
> +1.. make sense to me, I always thought that was weird hehe
> Say the word and we will remove it from v3.
>
> On 07
+1.. make sense to me, I always thought that was weird hehe
Say the word and we will remove it from v3.
On 07/01/2013 01:02 PM, Russell Bryant wrote:
On 07/01/2013 11:47 AM, Jay Pipes wrote:
Recently a colleague asked me whether their key pair from one of our
deployment zones would be usable in
On 07/01/2013 09:02 AM, Russell Bryant wrote:
> On 07/01/2013 11:47 AM, Jay Pipes wrote:
>> Recently a colleague asked me whether their key pair from one of our
>> deployment zones would be usable in another deployment zone. His
>> identity credentials are shared between the two zones (we use a s
On 07/01/2013 11:47 AM, Jay Pipes wrote:
> Recently a colleague asked me whether their key pair from one of our
> deployment zones would be usable in another deployment zone. His
> identity credentials are shared between the two zones (we use a shared
> identity database) and was wondering if the k
Recently a colleague asked me whether their key pair from one of our
deployment zones would be usable in another deployment zone. His
identity credentials are shared between the two zones (we use a shared
identity database) and was wondering if the key pairs were also shared.
I responded that
31 matches
Mail list logo