On Tue, Apr 29, 2014 at 12:58 PM, Nachi Ueno <na...@ntti3.com> wrote: > Hi Kyle > > 2014-04-29 10:52 GMT-07:00 Kyle Mestery <mest...@noironetworks.com>: >> On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno <na...@ntti3.com> wrote: >>> Hi Zang >>> >>> Thank you for your contribution on this! >>> The private key management is what I want to discuss in the summit. >>> >> Has the idea of using Barbican been discussed before? There are many >> reasons why using Barbican for this may be better than developing key >> management ourselves. > > No, however I'm +1 for using Barbican. Let's discuss this in > certificate management topic in advanced service session. > Agreed, this will be good to nail down in Atlanta in a few weeks.
>> Thanks, >> Kyle >> >>> [1] We are depending DB security, anyway >>> When we get stolen the private key in the DB, it means we are also >>> stolen ID/PW for DB. >>> If we stolen the key, even if we keep the private key secret, the >>> attacker can connect the NW for anywhere. >>> >>> [2] How we manage a passcode for encrypting private key? >>> so even if openvpn supports encripted keys, when we input the passcode? >>> Vpn process will be launched automatically by neutron-server, so we >>> need to store it in the memory. >>> This is same security with plain private key. >>> For example, most of apache servers using plain private key, I guess. >>> >>> so the security of ssl-vpn impl depends on db, rpc trasport, file >>> system security even if we encrypt the private key or not. >>> may be, we have better way, but I think current design isn't so bad to >>> prevent get merged. >>> >>> Best >>> Nachi >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> 2014-04-28 23:02 GMT-07:00 Zang MingJie <zealot0...@gmail.com>: >>>> Hi all: >>>> >>>> Currently I'm working on ssl vpn, based on patchsets by Nachi[1] and >>>> Rajesh[2] >>>> >>>> There are secure issues pointed by mark, that ssl private keys are >>>> stored plain in database and in config files of vpn-agents. As >>>> Barbican is incubated, we can store certs and their private keys in >>>> Barbican. But after checking openvpn configurations, I don't think >>>> there is any way to prevent storing private key in openvpn config >>>> files without modify the openvpn implementation. >>>> >>>> I have also made several changes, added a optional port field to >>>> sslvpn-connection table, integrated with service plugin framework >>>> (I'll follow service flavor framework when it is ready), and completed >>>> the neutronclient part. It is already developed in our testing >>>> environment, I'll upload my patch sooner or later. >>>> >>>> [1] https://review.openstack.org/#/c/58897/ >>>> [2] https://review.openstack.org/#/c/70274/ >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> OpenStack-dev@lists.openstack.org >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
