On 10/11/2015 06:50 PM, Robert Collins wrote:
On 9 October 2015 at 06:47, Adam Young <[email protected]> wrote:
On 10/08/2015 12:50 PM, Chivers, Doug wrote:
Hi All,
At a previous OpenStack Security Project IRC meeting, we briefly discussed
a lightweight traditional PKI using the Anchor validation functionality, for
use in internal deployments, as an alternative to things like MS ADCS. To
take this further, I have drafted a spec, which is in the security-specs
repo, and would appreciate feedback:
https://review.openstack.org/#/c/231955/
Regards
Doug
How is this better than Dogtag/FreeIPA?
DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
specifically calls out the desire to have a low-admin-overhead
solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
environment? I see that the dogtag-pki packages in Debian are up to
date - perhaps more discussion w/ops is needed?
Tomcat is trivial to deploy; it is in all the major distributions
already. Dogtag is slightly more complex because it does things right
WRT security hardening the Tomcat instance. But the process is
automated as part of the Dogtag code base.
A better bet is using Dogtag as installed with FreeIPA. It is supported
in both Debian based and RPM based distributions. The dev team is
primarily Red Hat, with an Ubuntu packager dealing with the headaches of
getting it installed there. There is someone working on SuSE already as
well. FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.
We have a demo of Using Kerberos to authenticate and encrypt the
messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all
of the Web services. I'll be one of the people demoing it at the Red
Hat booth at Tokyo if you want to see it and ask questions directly.
For Self Signed certificates, we can use certmonger and the self-signed
backend; we should be using Certmonger as the cert management client no
matter what. There was a Certmonger- Barbican plugin underway, but I do
not know the status of it.
Let's not reinvent this; the security and cryptography focused people on
OpenStack are already spread thin. Lets focus on reusing pre-existing
solutions.
-Rob
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
