On 03/17/2015 03:30 AM, David Chadwick wrote:
Encryption per se does not decrease token size, the best it can do is
keep the token size the same size. So using Fernet tokens will not on
its own alter the token size.
Fernet is striking a blanace. It is encruypting a subset of the data.
Not the whole payload of the PKI tokens. They are under 500 Bytes, with
a target of getting them under 255 bytes. Only Federation tokens should
be larger than 255 bytes.
Reducing the size must come from putting
less information in the token. If the token recipient has to always go
back to Keystone to get the token validated, then all the token needs to
be is a large random number that Keystone can look up in its database to
retrieve the user's permissions. In this case no encryption is needed at
all.
The Fernet goal is to remove that database. Instead, the data
associated with the token will be assembeld at verification time from
the small subset in the fernet token body and the data stored in the
Keystone server.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
