On 07/02/2013 11:12 AM, Bryan D. Payne wrote:
> I don't understand. Users already have custody of their own keys. The
> only thing that Keystone/Nova has is the public key fingerprint
[1], not
> the private key...
You acatually have the public key, not just the fingerprint, but indeed
I do not see why abrbican should be involved here. apublic key does not
need the same level of protection of a private key or a symmetric
encryption key, so by storing this data in barbican we would only
needlessly expose barbican to more access patternsand more
logging/auditing volume than is needed.
I believe you're confusing a couple of points here. In this case, for
public keys, what matters is integrity. For the other cases that you
mentioned, both integrity and confidentiality matter. I believe that
given the high integrity requirements that it *does* make sense to store
these in a more protected location.
+1 for using Barbican
-bryan
Simo just got finished saying Barbican was *not* the correct place to
put this information...
-jay
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
