A Certificate Authority signs other certificates. A signing certificate can sign documents. There is a big difference. With this week’s discussion of the Flame malware and the mechanism used to sign it, I think it is important to point out why we are not using an X509 as the signed token in Keystone.
Continue reading
While Fedora has standardised on NSS for security services, a large swath of the world uses OpenSSL. Here are roughly comparable steps to sign a message with OpenSSL as I previously posted using NSS.
Continue reading
Openstack Keystone currently operates on-line validation for Tokens. Once a token is issued out, each of the systems presented with the token has to check the validity of the token with the Keystone server. This makes Keystone the highest traffic service in an Openstack deployment. Using Cryptographic Message Syntax (CMS) we can generated a token that can be verified using public key cryptography instead of making a network call. Here’s a proof-of-concept example using the command line tools.
Imagine a locked room with a big window. If I am the only person with a key to room, and I tape a poster up inside the window, everyone can read it, and everyone can state with a pretty high degree of certainty that I was the person that I put up the poster. This is analogy to how you can use PKI to sign a document.
While Kerberos’ reputation as a Single Sign On solution is quite strong, its adoption outside the corporate VPN has been limited. One reason is that many host providers block port 88 traffic in the firewalls. What would it take to make Kerberos a viable solution in a web-only constrained situation?
Now that Folsom development has started in earnest, I figured I’d follow Russell‘s example and write down a bit of my plan for work in the next couple of months.
My last post suggested an extension to the Java language that I think will be quite helpful. Until such a feature exists, we can fake it by using annotations.
Continue reading
There is a very small feature that could be added to Java in order to improve it significantly: Add names to the Parameter object in the Reflection API.
Continue reading
After calling for Keystone to migrate to HTTPD, several people asked me if I would show how this can be done. Here are the steps.
Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.