Comment 2 for bug 1901891

Breaking down the list of issues here with proposed report classifications:

1. (D/security hardening) request to implement secret strength requirements for app credentials

2. (D/security hardening) request to implement brute-force mitigation via lockout for app credentials

3. (C1/impractical) app credentials are truncated to 72 characters prior to comparison

[ report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy ]

For #1 and #2 I'm assuming the Keystone docs don't claim application credentials provide these protections currently, and so they're effectively security-related feature requests. #3 could be construed as a defect worthy a CVE assignment, but as vulnerabilities go it's fairly impractical to exploit as you note, so I don't think we need to issue any advisory for it. Also it doesn't seem to me that any of these items need to be discussed in private under embargo, so we could switch this bug to public. Does anyone strongly disagree with the above assessment?