OpenStack security leaders have detailed the capabilities and best practices for security, compliance and privacy.     Learn More

Secure, Ephemeral PKI with the Anchor Project

Ephemeral PKI, first introduced during a highly successful talk presented last year in Paris, is a novel solution to the difficult problem of TLS certificate management at scale. With the pain caused by highly publicised TLS security flaws such as Heart bleed and Poodle still fresh in the minds of many, and with the growing uptake of TLS to secure more and more cloud infrastructure this challenging problem has never been more relevant. Anchor is the open source project evolved from HP's own internal implementation of a stateless ephemeral CA. Designed to operate with high availability and at the scale of large cloud deployments, it neatly sidesteps the certificate revocation issues that plague most OpenStack deployments. This presentation will consist of three parts, first we will examine the core concepts of ephemeral PKI and its advantages over traditional approaches to certificate management. Secondly we'll present the Anchor project itself, discussing it's technical design and implementation, as well a roadmap for its future development. Finally, to cement the usefulness of this approach, we will present a dogfooding section that details how Anchor and ephemeral PKI are deployed today within HP's Helion cloud products. 

Speakers: Doug Chivers,Tim Kelsey,Tom Cammann