Friday, 2015-07-31

*** nelsnelson has joined #openstack-barbican00:22
*** vivek-ebay has quit IRC01:24
*** dimtruck is now known as zz_dimtruck01:32
*** zz_dimtruck is now known as dimtruck01:48
*** alee has quit IRC02:06
*** alee_ has joined #openstack-barbican02:07
*** openstackgerrit has quit IRC02:31
*** openstackgerrit has joined #openstack-barbican02:32
*** rm_you| has quit IRC02:39
*** rm_you has joined #openstack-barbican02:40
*** rm_you has quit IRC02:40
*** rm_you has joined #openstack-barbican02:40
*** nelsnelson has quit IRC02:47
*** dimtruck is now known as zz_dimtruck03:08
*** h00327910__ has quit IRC03:28
*** SheenaG has joined #openstack-barbican03:40
*** SheenaG has quit IRC03:50
*** nkinder has quit IRC03:52
*** vivek-ebay has joined #openstack-barbican04:21
*** xaeth_afk is now known as xaeth04:24
*** xaeth is now known as xaeth_afk05:04
*** tkelsey has joined #openstack-barbican05:07
*** nickrmc83 has joined #openstack-barbican05:11
*** tkelsey has quit IRC05:12
*** nickrmc83 has quit IRC05:12
*** nickrmc83 has joined #openstack-barbican05:14
*** rm_work is now known as rm_work|away05:16
*** jaosorior has joined #openstack-barbican05:23
*** ig0r_ has joined #openstack-barbican05:25
*** Nirupama has joined #openstack-barbican05:32
*** kebray has joined #openstack-barbican05:47
*** shohel has joined #openstack-barbican05:51
*** ig0r__ has joined #openstack-barbican06:11
*** ig0r_ has quit IRC06:12
*** vivek-ebay has quit IRC06:46
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** kebray has quit IRC07:43
*** jaosorior has quit IRC07:44
*** jaosorior has joined #openstack-barbican07:47
openstackgerritMerged openstack/python-barbicanclient: Adding Documentation for running Functional Tests on the Python-Barbican Client
*** madhuri has quit IRC08:09
*** tkelsey has joined #openstack-barbican08:12
openstackgerritMerged openstack/python-barbicanclient: Remove unneeded dependency in tox.ini
*** shohel has quit IRC08:52
*** shohel has joined #openstack-barbican09:25
*** mmdurrant has quit IRC10:09
*** DTadrzak has quit IRC10:26
*** everjeje has joined #openstack-barbican10:46
*** nickrmc83 has quit IRC10:52
*** ig0r__ has quit IRC11:15
*** ig0r_ has joined #openstack-barbican11:19
*** mmdurrant has joined #openstack-barbican11:58
*** DTadrzak has joined #openstack-barbican12:00
*** peter-hamilton has joined #openstack-barbican12:05
*** kfarr has joined #openstack-barbican12:09
*** Nirupama has quit IRC12:28
*** SheenaG has joined #openstack-barbican12:33
*** kfarr1 has joined #openstack-barbican12:42
openstackgerritKaitlin Farr proposed openstack/castellan: Add managed objects hierarchy
*** kfarr has quit IRC12:46
*** kfarr1 has quit IRC12:46
openstackgerritKaitlin Farr proposed openstack/castellan: Add unit tests for managed objects
*** kfarr has joined #openstack-barbican13:02
*** zz_dimtruck is now known as dimtruck13:03
*** tzatti has joined #openstack-barbican13:14
alee_redrobot, ping13:28
alee_redrobot, still have a couple of specs awaiting review if we're trying to get them in this week.13:28
alee_jaosorior, jvrbanac , kfarr , chellygel ^^13:29
*** dimtruck is now known as zz_dimtruck13:34
*** zz_dimtruck is now known as dimtruck13:46
*** jaosorior has quit IRC13:54
*** spotz_zzz is now known as spotz14:01
*** pglass has joined #openstack-barbican14:09
*** nelsnelson has joined #openstack-barbican14:10
*** dimtruck is now known as zz_dimtruck14:14
*** tzatti has quit IRC14:15
*** tzatti has joined #openstack-barbican14:15
*** diazjf has joined #openstack-barbican14:18
*** h00327910__ has joined #openstack-barbican14:23
*** tzatti has quit IRC14:24
*** tzatti has joined #openstack-barbican14:25
*** nelsnelson has quit IRC14:30
*** nelsnelson has joined #openstack-barbican14:31
*** zz_dimtruck is now known as dimtruck14:32
*** Kevin_Bishop has joined #openstack-barbican14:45
openstackgerritKaitlin Farr proposed openstack/castellan: Add managed objects hierarchy
*** kfarr has quit IRC14:50
openstackgerritKaitlin Farr proposed openstack/castellan: Add unit tests for managed objects
*** vivek-ebay has joined #openstack-barbican14:55
*** chlong has quit IRC14:57
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation
*** vivek-ebay has quit IRC15:03
*** xaeth_afk is now known as xaeth15:06
*** kfarr has joined #openstack-barbican15:07
*** alee has joined #openstack-barbican15:09
*** chlong has joined #openstack-barbican15:11
*** edtubill has joined #openstack-barbican15:16
*** kfarr has quit IRC15:16
*** kebray has joined #openstack-barbican15:18
*** kfarr has joined #openstack-barbican15:32
*** vivek-ebay has joined #openstack-barbican15:34
redrobotalee reviewing now... also trying to get some other rackers to take a look15:37
aleeredrobot, great thanks15:38
*** SheenaG has quit IRC15:41
*** vivek-ebay has quit IRC15:42
*** xaeth is now known as xaeth_afk15:43
*** shohel has quit IRC15:52
openstackgerritAde Lee proposed openstack/python-barbicanclient: Add ability to add and list CAs
redrobotalee +2 x 216:11
aleeredrobot, thanks -- can you rally some of the other troops?16:12
redrobotalee just poked at hockeynut and jvrbanac ... hopefully they'll be able to jump on this before lunch.16:12
aleehockeynut, jvrbanac , kfarr , chellygel  ?16:12
openstackgerritKaitlin Farr proposed openstack/castellan: Update the key manager API
*** tkelsey has quit IRC16:13
aleehockeynut, just saw your comment about "enrollment_templates" vs "templates" -- I'm open to using something more descriptive like "enrollment-templates" - but I think thats probably not needed.16:15
aleewe're unlikely to have other kinds of "templates" added - and if we do , they could be more restrictively named.16:16
aleeredrobot, what do you think?16:16
*** kfarr has quit IRC16:17
redrobotalee hockeynut  I can't think of any other templates we would need from a CA?16:17
*** SheenaG has joined #openstack-barbican16:17
redrobotalee hockeynut afaict the only place where CAs are going to be significantly different is in ordering certs.16:18
hockeynutredrobot alee ok good, just didn't want to end up in a situation where we have 3 types of templates and cas/templates would be confusing16:18
aleeredrobot, hockeynut  -- perhaps revocation-templates?16:19
redrobotalee in that case I think something like16:19
redrobotor something like that makes more sense than hyphenating everything...16:20
*** kfarr has joined #openstack-barbican16:21
redrobothockeynut so maybe we will have 3 types of templates >_<16:22
alee /cas/templates/issuing , /ca/templates/revocation, /ca/templates/renewal16:23
alee issuing <-> enrollment?16:23
redrobotissuing/enrollment/provisioning ...  not sure which the correct term would be here16:24
redrobotI don't have a strong preference for any of them...16:24
aleein dogtag, we talk about enrollment16:24
*** vivek-ebay has joined #openstack-barbican16:25
aleeif you are going to use "issuing" -- we'll want to use "issuance"16:25
aleeto match up with revocation16:25
redrobotkfarr ping16:25
aleeand that sounds wonky to me ..16:26
aleeredrobot, so my preference is enrollment16:26
redrobotalee was looking at ... they just call it "getting" >_>16:26
redrobotalee I'm ok with "enrollment"16:27
aleeredrobot, ok - I'll make that change16:28
redrobotalee I think just templates/enrollment for now... we can add revocation and renewal if/when needed.16:30
aleehockeynut, dont forget'16:30
aleeredrobot, agreed -- I 'll make a note of why we are adding this though16:30
*** tkelsey has joined #openstack-barbican16:39
*** tkelsey has quit IRC16:43
openstackgerritAde Lee proposed openstack/barbican-specs: Add CA enrollment templates spec added
aleeredrobot, hockeynut updated16:47
*** crc32 has joined #openstack-barbican16:47
*** peter-hamilton has quit IRC16:49
*** tzatti has quit IRC16:49
kfarrredrobot pong16:50
jvrbanacalee, I have a couple questions regarding your specs. I have a lunch thing to go to, so I can't chat now. However, If you have some time this afternoon, perhaps can setup some google hangout time to talk through this really quick. redrobot you interesting in something like that?16:50
*** tzatti has joined #openstack-barbican16:50
aleejvrbanac, sure16:50
aleehockeynut, if you want to join too, we can get the specs all squared away16:51
aleejvrbanac, just ping me when you're back16:52
hockeynutput the time here and if I'm available I'll join.  I'm actually off this afternoon but I will be on and offline16:52
aleehockeynut, If you can't , feel free to just add your +2's :)16:55
aleejvrbanac, do you have a specific time in mind?16:55
*** chlong has quit IRC17:09
*** pglbutt has joined #openstack-barbican17:11
*** pglass has quit IRC17:12
*** pglass has joined #openstack-barbican17:13
*** pglbutt has quit IRC17:16
*** rellerreller has joined #openstack-barbican17:20
*** SheenaG has quit IRC17:38
*** crc32 has quit IRC17:44
*** SheenaG has joined #openstack-barbican17:44
*** crc32 has joined #openstack-barbican17:52
*** crc32 has quit IRC17:54
*** crc32 has joined #openstack-barbican17:54
*** crc32 has quit IRC17:56
*** pglbutt has joined #openstack-barbican17:58
*** pglbutt has quit IRC17:58
*** pglass has quit IRC18:01
*** crc32 has joined #openstack-barbican18:02
*** SheenaG has quit IRC18:04
*** tzatti has quit IRC18:04
*** tzatti has joined #openstack-barbican18:05
*** kfarr has left #openstack-barbican18:15
*** kfarr_ has joined #openstack-barbican18:15
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation
openstackgerritChristopher Solis proposed openstack/barbican: Implement models and repositories for KMIP servers
diazjfhockeynut, redrobot, can I get a +A!!18:36
*** kfarr has joined #openstack-barbican18:37
*** tkelsey has joined #openstack-barbican18:40
*** tzatti has quit IRC18:43
*** tzatti has joined #openstack-barbican18:44
*** tkelsey has quit IRC18:44
*** tzatti has quit IRC18:47
redrobotdiazjf ... I feel like a jerk for not reviewing this, but I'm focusing on BPs today...  :(18:49
diazjfredrobot, no worries at all, take your time!!! :-D18:50
diazjfjust wanted to know if it was on a queue of things to review18:51
*** pglass has joined #openstack-barbican18:51
*** kfarr has quit IRC18:53
openstackgerritKevin Bishop proposed openstack/barbican: Add PUT support for generic container types
kfarr_redrobot, did you ping earlier?18:55
redrobotkfarr_ yeah!  I was hoping you'd have some time to look at a couple of blueprints?18:56
redrobotkfarr_ specifically ade's BPs, and
*** kfarr has joined #openstack-barbican18:57
kfarrredrobot, sure! any ones in particular?18:58
*** vivek-eb_ has joined #openstack-barbican18:58
*** vivek-ebay has quit IRC18:59
*** kfarr_ has quit IRC19:00
redrobotkfarr in no particular order.19:00
kfarrredrobot, got it!19:00
*** Kevin_Bishop has quit IRC19:05
*** kfarr1 has joined #openstack-barbican19:07
redrobotelmiko ping19:07
elmikoredrobot: hey19:07
redrobotelmiko hey, quick question bc I don't want to rtfm.  Is there an API WG guidance on error messages.  Specifically interested in the format of the JSON object returned from an API.19:08
alee_redrobot, still trying to rally the troops for the specs?19:08
redrobotalee_ yep... I think I may have enlisted kfarr :)19:08
alee_go kfarr !19:09
elmikoredrobot: afaik that is something we are still working on. etoews has a spec up, i think. 1sec19:09
* elmiko digs19:09
alee_what about hockeynut and jvrbanac ?19:09
elmikoredrobot: this is as far as we've gotten
redrobotelmiko awesome, thanks!  I'll add that CR to my watch list19:10
jvrbanacalee, my afternoon has been crazy so far. Regarding the copy spec, I'm trying to figure out the probably we're actually solving here. Is it that someone could delete a secret?19:11
elmikoredrobot: etoews has been out of town, but he should be back next week. i'd expect it to pickup after that.19:11
*** kfarr1 has quit IRC19:11
jvrbanacalee, so having a individual secret per volume is where the copy is used?19:11
redrobotjvrbanac the use case is that cinder already does a copy by retrieving and then storing the secret again19:12
jvrbanacredrobot, but why?19:12
aleejvrbanac, if I recall correctly, the secret is copied when you want  to have cloned volumes19:12
jvrbanacredrobot, it feels like they're working around a behavior of barbican.19:13
redrobotjvrbanac they need to be able to delete the secret when the volume is deleted19:13
redrobotjvrbanac and reference counting a single secret is fragile19:13
jvrbanacredrobot, ahh I see19:13
kfarrRight, it's for the case where you clone an encrypted volume, then delete the original volume, which also deleted the associated encryption key19:14
jvrbanacredrobot, so they just want a 1-1 mapping19:14
redrobotjvrbanac yep... and this BP makes the copying a little more secure by keeping the secret inside barbican for the copying process.19:14
jvrbanacredrobot, ok... originally, I thought this kind of thing was where consumers was to help19:15
jvrbanacredrobot, since consumers allowed for someone to register their interest in the secret19:15
redrobotjvrbanac yeah, but they had a good argument for not using consumers... which I can't recall right now.19:15
*** kebray has quit IRC19:16
kfarrmm I think it's because castellan wouldn't be able to support consumers19:16
redrobotkfarr yeah, that would make sense19:18
kfarralthough (I put this in a comment on the spec) joel-coffman pointed out earlier this week that copy isn't really a standard key manager operation, and put out this merge request
kfarrto remove copy from castellan19:20
redrobotkfarr I see... interesting discussion to be had at mid-cycle then...19:21
*** Kevin_Bishop has joined #openstack-barbican19:21
redrobotso PCKS#11 does support it but KMIP does not.19:21
*** SheenaG has joined #openstack-barbican19:21
kfarrYeah, probably better in person than over chat19:21
redrobotSo the open question would be, do we want Castellan to support it, and force the KMIP castellan impl to do a retrieve/store ?19:22
kfarrYeah, I guess the alternative would be to do the retrieve/store on the Cinder side of things when cloning and remove copy and not worry about the Barbican implementation19:24
kfarrIf cloning volumes is the only use case19:24
redroboti believe Cinder is already doing that...  The Castellan question is still relevant I think.19:25
*** kfarr1 has joined #openstack-barbican19:26
*** ig0r_ has quit IRC19:26
alee_redrobot, kfarr, I'm ok with waiting till next week to decide if we really want this or not.  I had put it in because of what I was seeing cinder doing - and figured that retrieving and storing keys could be done much more securely by keeping them in barbican.19:29
kfarrYes, alee_ thanks so much for offering to implement the feature!19:30
alee_if we think no one is actually going to use this - there is no point in putting it in19:30
alee_kfarr, at the time, I thought this would be a trivial uncontroversial spec19:31
alee_chellygel, hockeynut jvrbanac  -- I need a workflow on
*** openstack has joined #openstack-barbican19:33
*** openstackstatus has joined #openstack-barbican19:33
*** ChanServ sets mode: +v openstackstatus19:33
*** kfarr1 has quit IRC19:33
redrobotalee_ do you have time to look at
jvrbanacalee, I could see a use case for copying secrets to another barbican in a different regions or a federated barbican.19:34
*** vivek-ebay has joined #openstack-barbican19:34
alee_jvrbanac, yeah - its the kind of thing which - if its there - will end up haivng uses I think.19:35
*** vivek-eb_ has quit IRC19:36
aleeredrobot, that looks like something I need to read up a bit on -- not sure if I can get to it today.19:38
*** vivek-eb_ has joined #openstack-barbican19:38
*** vivek-ebay has quit IRC19:40
*** everjeje has quit IRC19:42
elmikokfarr: how do you feel about a patch for the castellan docs to show a simple example of using castellan.key_manager.API to get a km and create a key or something?19:43
elmikojust so that new folks now how to use the basic elements of the lib19:43
kfarrelmiko more castellan docs would be great19:45
elmikokfarr: cool, i might toss up a patch19:45
kfarrI've been wanting to add more, but have had other priorities19:46
elmikototally understandable, that's why i asked. just wanted to see if anyone else had something in flight.19:46
*** rm_work|away is now known as rm_work19:49
*** silos has joined #openstack-barbican19:53
*** silos has left #openstack-barbican19:53
kfarrelmiko, not yet!19:53
elmikokfarr: ack19:53
*** everjeje has joined #openstack-barbican19:54
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation
*** kfarr has quit IRC20:00
*** vivek-eb_ has quit IRC20:01
*** vivek-ebay has joined #openstack-barbican20:01
redrobotelmiko it would be awesome to get castellan docs.20:05
* redrobot makes a note to publish to
elmikowell, i did add some on my configuration change =)20:06
*** vivek-ebay has quit IRC20:07
rm_workyes yes20:07
rm_workthe other chain needs to get moving though >_>20:07
elmikotrue, i'll try and do some reviews there20:08
rm_workredrobot / rellerreller ^^20:09
rm_workWTB +2 +A20:09
redrobotrm_work BP blueprint is today, so all spec CRs got bumped to the top of my review queue20:09
*** kfarr has joined #openstack-barbican20:12
redrobotrm_work s/BP bluerpint/BP deadline/g20:13
*** ChanServ sets mode: +o redrobot20:13
*** redrobot changes topic to "Barbican Liberty Sprint Aug 5-7"20:14
*** redrobot changes topic to "Barbican Liberty Mid-Cycle Sprint Aug 5-7"20:14
redrobotlast call for pycharm licenses20:20
diazjfredrobot, looks good. excited to attend the sprint20:20
elmikoredrobot: pycharm licenses?20:21
redrobotelmiko we've had an open source license for PyCharm for the last 2 years.  About to renew it, but they're issuing per-user licenses now, so I need to get a head count.20:21
elmikoredrobot: ah, very cool20:22
* redrobot is a vim hipster and does not use PyCharm20:22
elmikohehe, me too =)20:22
elmikoalthough we have a few folks who enjoy pycharm20:22
redrobotJetBrains makes solid IDEs20:22
*** kebray has joined #openstack-barbican20:22
redrobotI don't think I would have lasted as long as I did as a Java developer without IntelliJ20:23
elmikooh man, you need an ide for java20:23
redrobotyeah, my vim-fu is strong, but not java strong :-P20:24
elmikohaha, totally. i tried it once... once.20:24
redrobotelmiko lol20:24
*** diazjf has left #openstack-barbican20:25
elmikoi actually did get an eclipse-vim integration layer working. it was pretty cool, but still not up for the task20:25
*** edtubill has left #openstack-barbican20:27
alee_redrobot, I'm curious - whats the headcount?20:36
redrobotalee_ 5 so far20:36
alee_interesting - I would have expected more20:37
rm_workredrobot: really only 5?20:39
rm_workwell, i am excited for new license, i am literally stalled on py-dev :P20:39
redrobotrm_work yup... all the cool kids are using vim now20:39
rm_workjust went and did other stuff for a bit20:39
rm_worki mean i love VIM, and it's great for single-file stuff20:40
rm_workfor debugging unit tests, and development of large integrated systems.... WTB PyCharm20:40
redrobotvim + pdb ftw!20:40
*** tkelsey has joined #openstack-barbican20:40
*** tkelsey has quit IRC20:45
*** kebray has quit IRC20:50
*** kfarr has quit IRC20:54
*** kebray has joined #openstack-barbican20:57
*** Kevin_Bishop has quit IRC21:04
*** vivek-ebay has joined #openstack-barbican21:04
*** dimtruck is now known as zz_dimtruck21:04
*** darrenmoffat has quit IRC21:07
*** zz_dimtruck is now known as dimtruck21:07
*** vivek-ebay has quit IRC21:08
*** darrenmoffat has joined #openstack-barbican21:08
redrobotrm_work alee_ jetbrains email sent...  probably won't get licenses until Monday.21:09
redrobotrm_work alee_  I'll forward them as soon as I get them.21:09
*** kebray has quit IRC21:09
alee_redrobot, cool thanks21:09
*** SheenaG has quit IRC21:13
*** rm_you has quit IRC21:13
*** Kevin_Bishop has joined #openstack-barbican21:16
rm_workkk thanks redrobot21:18
rm_workwhy did they change i wonder? too much abuse?21:18
redrobotrm_work no idea... abuse seems likely though21:18
jvrbanacalee, I'm trying to understand the use for your enrollment spec.21:27
jvrbanacalee, I know dogtag supports various profiles; however, I'm trying to figure out where this fits with other CAs21:28
jvrbanacalee, I'm probably just missing something here21:28
aleejvrbanac, there are several ways in which to request a cert21:28
*** rellerreller has quit IRC21:29
aleeone is by using something like "simple-cmc", "or "fullcmc" or "stored_key"21:29
aleethose are the standard ways of doing requesting a cert21:29
aleeand they take standard attributes21:29
aleea final way -- and the first one we implemented is "custom"21:30
aleeit allows you to request a cert from a particular ca using thats ca- specific parameters21:30
aleeso if symantec or dogtag wants you to add some parameter that is not common to other cas21:30
redrobotjvrbanac BP provides an API to discover what the different required fields are, for a particular CA21:31
aleeor if you want a special kind of cert that the ca provides ..21:31
*** superflyy has joined #openstack-barbican21:31
redrobotit should prove useful for symantec-specific certs21:32
*** crc32 has quit IRC21:34
jvrbanacalee, interesting... so, is the idea that someone just hits the endpoint instead of having to go to our documentation?21:35
aleejvrbanac, its not our documentation -- its the documentation for that ca ..21:35
redrobotyup, dynamic docs if you will...21:36
aleejvrbanac, (for the custom case)21:36
aleebut yes , for the default case too21:36
aleedynamic docs :)21:36
redrobotI don't think it would be terribly useful in python-barbicanclient, but it would be awesome for Horizon21:37
redrobotthey could parse the response and create a custom form with all the required fields21:37
*** dimtruck is now known as zz_dimtruck21:37
aleeredrobot, yup21:37
aleeredrobot, that was the goal -- client generating whatever forms they needed - when we implemented this in dogtag21:38
*** rm_you has joined #openstack-barbican21:38
*** rm_you has quit IRC21:38
*** rm_you has joined #openstack-barbican21:38
jvrbanacredrobot, that sounds hella dangerous.21:38
aleejvrbanac, why?21:39
aleejvrbanac, its up the ca ultimately as to whether they will approve the cert request?21:39
aleejvrbanac, and the ca is what is providing the data that needs to be shared21:40
redrobotyeah, we've talked about it with reaperhulk before, and he agreed that a discovery API is necessary to deal with CA differences.21:40
jvrbanacalee, I was referring to using a third-party service to determine what ends up getting submitted through your frontend system. I guess it's a probably with any discovery api, it just feels dangerous.21:42
jvrbanacredrobot, ^21:42
aleejvrbanac, barbican is a front end for ca's - its not a ca itself.  so it needs to know how to communcate with cas and pas that info to the clients.21:43
jvrbanacalee, I was referring to a frontend like Horizon21:44
redrobotjvrbanac I do agree, dynamic form building from api responses sounds scary...  we'll just have to keep our eye on the Horizon bits to make sure they're not shooting themselves in the foot.21:44
jvrbanacredrobot, famous last words right?21:48
redrobotjvrbanac :)21:49
jvrbanacalee, sooo if this indicates required fields then we would have to have separate profiles for DV, EV, SANs, etc per plugin right?21:52
aleejvrbanac, potentially -- dependss on the plugin21:53
aleejvrbanac, different plugins will choose to handle different type of certs differently21:55
redrobotjvrbanac I would think that each symantec offering would have a different profile, yes.21:58
jvrbanacalee, redrobot, well, If I understand things correctly, any reseller is going to require organization info for validation of an OV. So every plugin that supported provisioning of an OV would also need that correct?21:58
jvrbanacalee, redrobot, I'm just wondering how big the code behind this discovery api will become.22:00
aleejvrbanac, that seems logical.  I think we need to explore these kinds of questions when we decide to add new types of certs (profiles)  to the common api.22:02
aleejvrbanac, I dont think its too big -- in the custom case, we defer to the plugins to provide whatever info they wish22:02
aleejvrbanac, in the common api - we provide whatever we choose to syupport22:03
*** redrobot_mobile has joined #openstack-barbican22:04
aleejvrbanac, no one said building a common api for all cas was easy -- thats why we solve the simplest and most common cases first -- and provide a mechanism for the custom cases if needed.22:05
aleethe discovey api facilitates both22:05
redrobotalee agreed22:09
redrobotjvrbanac I don't think we should hold up this BP based on difficulty/size of implementation.22:09
jvrbanacredrobot, that's not really my concern22:09
redrobotjvrbanac I'm not sure I understand your concern, then22:10
*** nelsnelson has quit IRC22:11
jvrbanacredrobot, outside of someone hooking this up to a external frontend (which I'm really not a big fan of), I'm still trying to see why someone would use this over our documentation. If we support a CA plugin, that means we have to document what it supports.22:12
aleejvrbanac, a dogtag ca admin may decide to only support certain profiles.  Others may choose to support different profiles or even custom ones,  And this may change at any time.22:18
aleejvrbanac, this gives us a way to determine what a particular ca supports22:19
aleenot just a particular type of ca, but  a particular ca22:19
aleejvrbanac, moreover, are you saying that you're trying to document evverything that dogtag or symantec or digicert supports?22:20
redrobotI think that while this could all be documented, having the profiles defined in code could also help with validation.22:23
aleeredrobot, jvrbanac need to head off soon.  brain switching off ..22:27
redrobotalee yeah, I hear beer calling my name22:28
redrobotalee I added a bullet point to the mid-cycle etherpad for BP Freeze Exceptions...  I'm sure we'll pick up this conversation again during that.22:30
redrobotalso of interest to xek, I think ^^22:30
jvrbanacalee, redrobot so I get the dogtag use case as it can change; potentially frequently. However, considering I don't see Symantec and Digicert changing things all the time, it just makes me wonder. If we're putting this in for the dogtag use-case, but I'm just trying to look at this from a 10,000 ft level and as if I don't know anything about it22:31
redrobotI don't think Symantec would change their process often, but I do see agreement levels between 3rd party resellers (such as Rack) and CAs as potentially changing22:32
aleejvrbanac, either way this provides a mechanism for dealing with that change when it happens without having to rewrite a bunch of docs22:33
redrobotI do think the front end use case is a valid one.  Without this API Horizon would be forced to create UIs for every single possible certificate type ahead of time...22:35
*** SheenaG has joined #openstack-barbican22:36
*** spotz is now known as spotz_zzz22:38
*** Kevin_Bishop has quit IRC22:42
*** alee is now known as alee_beer22:44
*** superflyy has quit IRC22:52
*** alee_beer is now known as alee_loopy_afk22:55
*** SheenaG has quit IRC22:56
*** pglass has quit IRC23:01
*** tkelsey has joined #openstack-barbican23:04
*** SheenaG has joined #openstack-barbican23:11
*** tkelsey has quit IRC23:11
*** redrobot_mobile has quit IRC23:22
*** mixos has joined #openstack-barbican23:53

Generated by 2.14.0 by Marius Gedminas - find it at!