The revocation list is signed by the PKI certificates for some reason.
The revocation list is used for UUID tokens in addition to PKI tokens.
This fix is making it so that the revocation list is not signed by the
PKI certificates.
** Changed in: keystone
Status: Won't Fix => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1317302
Title:
pki_setup shouldn't be required to check revocations
Status in OpenStack Identity (keystone):
In Progress
Status in keystonemiddleware:
In Progress
Bug description:
With the fix for bug 1312858 , auth_token can validate UUID tokens or hashed
PKI tokens against the revocation list. But in order to use this in a setting
where only UUID tokens are being used, the server still needs to have pki_setup
run. We should be able to check UUID tokens against the revocation list even
when pki_setup hasn't been done.
The reason pki_setup has to be done is that the revocation list is
signed using CMS. The auth_token middleware only accepts the signed
format for the revocation list.
The proposed solution is to change the auth_token middleware to also
accept a revocation list that's not signed. If it's not signed, then
the PKI certificates aren't required.
The keystone server will be changed to allow configuring it such that
the revocation list will be sent as an unencrypted JSON object that
the auth_token middleware can now accept.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1317302/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
