On Tue, Jul 2, 2013 at 8:12 AM, Bryan D. Payne <bdpa...@acm.org> wrote:
> > > I don't understand. Users already have custody of their own keys. The >> > only thing that Keystone/Nova has is the public key fingerprint [1], not >> > the private key... >> >> You acatually have the public key, not just the fingerprint, but indeed >> I do not see why abrbican should be involved here. apublic key does not >> need the same level of protection of a private key or a symmetric >> encryption key, so by storing this data in barbican we would only >> needlessly expose barbican to more access patternsand more >> logging/auditing volume than is needed. >> > > I believe you're confusing a couple of points here. In this case, for > public keys, what matters is integrity. For the other cases that you > mentioned, both integrity and confidentiality matter. I believe that given > the high integrity requirements that it *does* make sense to store these in > a more protected location. > > +1 for using Barbican > > This would make Barbican a required service for running Nova. Keystone is already required and it has the necessary functionality. - Ryan
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev