On 18/06/2013, at 1:18 AM, Adam Young wrote:
> On 06/17/2013 12:27 AM, Sam Morrison wrote:
>> I'm currently looking into Grizzly and have been having some issues getting
>> PKI tokens to work.
>>
>> If I have memcache as the token backend keystone issues uuid based tokens,
>> if I have sql as
On 06/17/2013 12:27 AM, Sam Morrison wrote:
I'm currently looking into Grizzly and have been having some issues getting PKI
tokens to work.
If I have memcache as the token backend keystone issues uuid based tokens, if I
have sql as the backend then it issues PKI tokens.
Does this mean you can
I'm currently looking into Grizzly and have been having some issues getting PKI
tokens to work.
If I have memcache as the token backend keystone issues uuid based tokens, if I
have sql as the backend then it issues PKI tokens.
Does this mean you can't use memcache backend if you want to use PKI
On 09/04/2012 09:36 AM, boden wrote:
Hi,
I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented (https://blueprints.launchpad.net/keystone/+spec/
Hi,
I'm trying to better understand the current status of PKI
(http://wiki.openstack.org/PKI) and delegated authZ from a folsom
perspective. I can see the blueprint targets folsom-rc1, is marked as
implemented (https://blueprints.launchpad.net/keystone/+spec/pki) and
I've browsed some of the relat
Hi Adam,
The blueprint as revised to address Joe's comments looks good to me - nice
work. I especially like how the middleware is intended to cache the revocation
list for a configurable amount of time - it mirrors how token caching already
works.
Cheers,
Maru
On 2012-08-07, at 10:09 AM, A
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
https://review.opens
On 08/02/2012 10:54 PM, Nathanael Burton wrote:
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Yes, I don't really have new idea here, jus
Adam,
I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.
Nate
On Aug 2, 2012 10:24 PM, "Adam Young" wrote:
> On 08/01/2012 11:05 PM, Maru Newby wrote:
>
Hi Adam,
I apologize if I came across as disrespectful. I was becoming frustrated that
what I perceived as a valid concern was seemingly being ignored, but I
recognize that there is no excuse for addressing you in a manner that I would
not myself wish to be treated. I will do better going for
Hi Adam,
I was thinking along the same lines - the revocation list could be accessed via
a simple url. It wouldn't even have to be hosted by Keystone, necessarily.
For larger clusters where performance might become an issue, what about
generating to a static file as needed that is made availa
On 08/01/2012 11:05 PM, Maru Newby wrote:
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that
what I perceive as a very serious security concern was openly
discussed. The arguments against revocation support, as you've
described them, seem to be:
- it's complic
: openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: (openstack@lists.launchpad.net)
Subject: [Openstack] Keystone: 'PKI Signed Tokens' lack support for
On 08/02/2012 01:56 AM, Joseph Heck wrote:
Hey Maru,
I think you're putting too many words in Adam's mouth here. First,
Adam didnt assert is wasnt valuable, useful, or nessecary - simply
that it wasnt in the first cut and not in the list that we agreed was
critically essential to an initial i
Hey Maru,
I think you're putting too many words in Adam's mouth here. First, Adam didnt
assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the
first cut and not in the list that we agreed was critically essential to an
initial implementation. As you noted, its a complex an
Hi Adam,
I apologize if my questions were answered before. I wasn't aware that what I
perceive as a very serious security concern was openly discussed. The
arguments against revocation support, as you've described them, seem to be:
- it's complicated/messy/expensive to implement and/or execu
On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone
without support for token revocation. I tried to raise this issue on
the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
https://review.opens
I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation. I tried to raise this issue on the bug report:
https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
And the review:
https://review.openstack.org/#/c/7754/
I'm curious as to whether
bject:* Re: [Openstack] [Keystone] PKI
Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces. All we will need to do is to use a signing key to
sign a document. So EJBCA or Dogtag will work equally as well. If
people already have a CA infrastructure, they shou
-bounces+tim.bell=cern...@lists.launchpad.net] On Behalf Of
Adam Young
Sent: 16 May 2012 03:10
To: openstack@lists.launchpad.net
Subject: Re: [Openstack] [Keystone] PKI
Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces. All we will need to do is to use a signing
Hi Adam,
Can you please clarify the following in PKI blueprint?
1) Do you assume that roles won't be changed after getToken and before
validateToken?
What is keystone private key? Do you mean user private key?
1) Why do we need to store users client cert in keystone system? BTW what
do y
Well, the PKI pieces are the same regardless of the CA and certificate
issuing pieces. All we will need to do is to use a signing key to sign
a document. So EJBCA or Dogtag will work equally as well. If people
already have a CA infrastructure, they should be able to leverage that, too.
On
If you're open to levarging other OSS projects,
http://www.ejbca.org/architecture.html us a great one to look at, assuming
you need a PKI implementation available.
I believe it is at least worth a look.
On Tue, May 15, 2012 at 1:30 PM, Razique Mahroua
wrote:
> great topic :)
>
>
> Joseph Heck
great topic :)
Joseph Heck
15 mai 2012 21:06Coming out of the Keystone
meeting from today
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
I thought it worth mentioning that adam young has been doing some
tremendous lifti
Coming out of the Keystone meeting from today
(http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html),
I thought it worth mentioning that adam young has been doing some tremendous
lifting in terms of looking at adding in PKI support to Keystone. T
I'd like to pick up the conversation from the PKI auth session today and
hold an unconference session tomorrow (04/17) at 1130PDT. I believe Adam
Young would like to participate remotely, maybe we can figure out Google
Hangouts or something.
Thanks,
Nate
__
26 matches
Mail list logo
