Hi Seth Some feedback on your review
1) Barbican without an HSM We'd come to the same conclusion that you did - Barbican without an HSM is really not secure, and the built-in crypto or softhsm options are really POC/dev use only. >From a deployment perspective, we have charms for barbican + barbican- softhsm, but that's just to allow us to perform CI on the charms without reliance on an actual HSM. Any production use *requires* use of an HSM (for which we will write barbican-<inserthsm> charms). 2) Use Cases Barbican could be used by tenants of a cloud directly, but I think its much more likely that it will be consumed by other OpenStack services for secrets management - specific examples would include SSL termination in Neutron LBAAS, encryption of block devices in Cinder, encryption of data-at-rest in Swift; barbican is used for the key management aspects of these integrations. 3) Compatibility Barbican is part of the integrated release with milestones part of OpenStack, so even if changes do happen, they are happening in the greater openstack context, so inter-service compatibility should be maintained. Barbican is relatively new (only approaching its 3rd release now), so I would expect some changes - but that's been typical of OpenStack projects. We also have another 4 releases before we have to worry about LTS support cycles - we can review again at 18.04 if we're still good with the decision to have Barbican in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
