Jump to: navigation, search

PKI-Revoke

Revision as of 15:40, 6 August 2012 by Admiyo (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Changes to support revocation of PKI tokens

1. Revoked tokens must be recorded, no merely removed from the tokens backend.

2. The Keystone server to have a list of revoked tokens exposed in an URL. Then, as service like Glance or Nova can query the Revocation list on a simple schedule. The time out would be configurable, of course. This will be exposed as a signed CMS document, just like the tokens, in order to prove revokation.

3. Once revoked, a token cannot be unrevoked.

4. If a token authentication request comes in to the auth_token middle and the service does not have a recent revocation list, it is fetched from keystone. If the Keystone server cannot be reached, authentication will fail. A future enhancement: wait a random amount of time and then requery the Keystone server.

5. In the future, I would like to make the set of Keystone servers a configurable list, and the policy for revocation checking should be able to vary per server: some Keystone servers in a federated approach might not be accessible. In those cases, it might be necessary for one Keystone server to proxy the revocation list for another server.

Retrieved from "https://wiki.openstack.org/w/index.php?title=PKI-Revoke&oldid=11007"