20:00:01 <redrobot> #startmeeting barbican
20:00:02 <openstack> Meeting started Mon Nov 10 20:00:01 2014 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:06 <openstack> The meeting name has been set to 'barbican'
20:00:20 <redrobot> Welcome back Barbicaneers!
20:00:42 <redrobot> As usual the agenda can be found here:
20:00:45 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:00:48 <redrobot> #topic Roll Call
20:01:07 <redrobot> I'm actually not expecting very many people to show today.
20:01:10 <SheenaG1> o/
20:01:22 <redrobot> You rock SheenaG1 !! :)
20:01:59 <alee> o/
20:02:11 <SheenaG1> redrobot: can't let you have this meeting all by your lonesome!
20:02:25 <redrobot> good to see you made it home ok alee
20:02:39 <redrobot> I think it's just the three of us today, so it should be a quick meeting
20:02:58 <alee> redrobot, stil a little jet lagged - and I missed my connection - so it was a long delay in lovely detroit
20:03:18 <alee> looks like rellerreller made it back too.
20:03:24 <SheenaG1> alee: who wouldn't want to visit Detroit?
20:03:24 <rellerreller> Is there a meeting today?
20:03:26 <redrobot> alee heh... I missed my flight out of Paris >_<
20:03:33 <redrobot> rellerreller yeah, should be a short one though
20:03:41 <redrobot> #topic New Core Reviewers
20:04:08 <alee> redrobot, I think rellerreller and I have already +1'ed
20:04:08 <redrobot> First, let's cover the nomination for Steve Heyman
20:04:13 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2014-November/049852.html
20:04:52 <redrobot> Yeah, I counted 6 x +1, and since it's been five days of open voting, I'm calling it a Yes for Steve.  I will add Steve to barbican-core after the meeting.
20:05:37 <redrobot> Next, we have the nomination for Juan Antonio Osorio Robles
20:05:40 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2014-November/049855.html
20:05:57 <alee> SheenaG1, I'm sure Detroit is lovely, I just have not made it past the airport (which is lovely  too)
20:06:22 <rellerreller> Congratulations to Steve!
20:06:27 <redrobot> The vote count for Juan was also 6x +1, and with five days of open voting, I'm also calling this a Yes.
20:06:45 <redrobot> I will also be adding Juan to barbican-core after the meeting.
20:06:56 <alee> ditto for Juan
20:07:23 <redrobot> Congratulations to both Juan and Steve!  I think they're both well deserved after all the review work they've been putting into the project.
20:07:32 <redrobot> even if they didn't make it to today's meeting.
20:08:16 <redrobot> Ok, moving on
20:08:21 <redrobot> #topic RFC 7030
20:08:25 <redrobot> #link https://tools.ietf.org/html/rfc7030
20:09:10 <alee> redrobot, I think we need more time to study this rfc and decide what to do with it.
20:09:11 <redrobot> For today, I just wanted to remind everyone to read through the RFC.  We'll push discussion until next week's meeting to give everyone a chance to come back from OpenStack Summit and related vacations.
20:09:21 <redrobot> alee agreed.
20:09:30 <jaosorior> did it already start? O_O
20:09:59 <redrobot> jaosorior meeting?  Yes.  You missed the official announcement that we're adding you to barbican-core after the meeting.
20:10:06 <alee> jaosorior, yup - and you've been designated core -- felicitations!
20:10:10 <jaosorior> yay! :D
20:10:36 <jaosorior> http://weknowmemes.com/wp-content/uploads/2012/11/mexcellent.jpg
20:10:50 <redrobot> jaosorior lol
20:12:06 <redrobot> so, that's all that was on the agenda for today.
20:12:15 <redrobot> anyone have anything they'd like to bring up?
20:12:20 <redrobot> if not we can call the meeting early.
20:12:33 <jaosorior> well, did the guys interested in implementing the RFC7030 show up?
20:13:02 <redrobot> jaosorior I don't think so.  I just wanted to remind everyone to read the RFC.  Lots of peeps are still on vacation or making their way back from Paris.
20:13:10 <jaosorior> oh, alright
20:13:18 <jaosorior> I was hurrying to finish reading it :P
20:13:25 <alee> jaosorior, its a little early I think.  we talked about perhaps meeting with them after the next brabican meeting next week.
20:13:51 <hyakuhei> Hey @all, didn't realise the weekly was running today?
20:14:10 <hyakuhei> Sorry, no question there - just erm, hi :)
20:14:18 <redrobot> hyakuhei hi!
20:14:19 <jaosorior> yo, whattup
20:14:24 <alee> jaosorior, its going to take some thought -- even if we decide its a good idea - we need to figure out when we'd want to implement it
20:14:48 <alee> given that we should be trying to stabilize the api.
20:15:07 <hyakuhei> Where's the best description of how transport keys work (other than the code)? I'm not sure they work how I think they work
20:15:10 <jaosorior> that's correct. Although if I remember correctly they had offered to implement it
20:15:29 <jaosorior> and on the other hand, the API as proposed by the RFC would end up being separate from the one we are using now
20:15:39 <alee> hyakuhei, well the code is in the server side - but not in the client side yet
20:15:49 <alee> hyakuhei, I need to implement that soon.
20:15:51 <jaosorior> (even URI-wise it would have a separate path)
20:15:54 <hyakuhei> ah ok, there isn't a spec for it I believe?
20:16:12 <alee> hyakuhei, there is -- let me see ..
20:16:34 <hyakuhei> Because when we were talking about pre-encryption and the different approaches, the asymmetric system I was imagining kinda sounded exactly the same as how I think transport keys would work
20:16:41 <hyakuhei> So some part of my thinking is broken :P
20:16:45 <hyakuhei> yo tkelsey !
20:16:47 <redrobot> hyakuhei http://specs.openstack.org/openstack/barbican-specs/specs/juno/add-wrapping-key-to-barbican-server.html
20:16:48 <tkelsey> hey all, sorry im late #
20:17:02 <alee> redrobot, thanks :)
20:17:22 <alee> hyakuhei, right - pre-encryption and transport keys are two separate features
20:17:47 <hyakuhei> alee: Yup, but I'm not 100% sure on the details of either :P
20:18:10 <hyakuhei> Thanks for the link redrobot
20:18:14 <alee> hyakuhei, sure - read the specs and let me know if you have questions
20:18:20 <hyakuhei> will do
20:18:30 <alee> (and be sure to comment)
20:19:07 <redrobot> hyakuhei you're welcome... even if y'all totally hijacked the meeting topic.  :-P
20:19:34 <alee> redrobot, so yeah - in general - just a reminder for folks to read the outstanding specs -- so we can start getting to work ..
20:19:59 <redrobot> #topic Kilo Specs
20:20:18 <redrobot> #link https://review.openstack.org/#/q/status:open+project:openstack/barbican-specs,n,z
20:20:32 <alee> redrobot, we probably need to enumerate any additional specs that came out of the summit
20:20:51 <alee> rellerreller, you going to write the "content-type" one ? :)
20:21:11 <rellerreller> I can write it
20:21:18 <redrobot> and here I thought it was going to be a short meeting... hehe
20:21:26 <alee> awesome
20:21:32 <redrobot> I think I was on the hook for writing the Active Plugin spec?
20:21:39 <rellerreller> Do we need a spec for a such a short commit? It will mostly be documentation.
20:22:35 <alee> rellerreller, depending on what we decide is the right version of PEM, it could be more than just documentation
20:22:59 <rellerreller> alee good point
20:23:00 <alee> though I'm in favor of keeping what we have (assuming its the same)
20:23:30 <alee> rellerreller, its worth putting in a spec - so we dont rehash all this next summit
20:24:17 <redrobot> #action rellerreller to write spec for content-types
20:24:35 <alee> redrobot, sounds good to me about the active plugin spec.
20:24:38 <redrobot> #action rellerreller to write spec for Active SecretStore
20:24:43 <redrobot> derp
20:24:56 <redrobot> #action redrobot to write spec for Active SecretStore
20:25:16 <alee> is there a spec for the tpm stuff?
20:26:09 <rellerreller> alee I have not seen one in Barbican, but I did see one in another project
20:26:44 <alee> redrobot, you might want to contact malini and figure out where all that is ..
20:26:54 <alee> rellerreller, link?
20:27:23 <rellerreller> One second
20:27:48 <alee> redrobot, I need to revise my spec for per-secret policy based on what we decided at the summit
20:28:17 <rellerreller> alee I cannot find it at the moment. I will have to post a link later.
20:28:18 <redrobot> #action alee to update ACL policy spec
20:28:27 <alee> cool
20:29:03 <redrobot> alee trying to remember what the TPM stuff was?  ...
20:29:53 <alee> redrobot, malini et al hd made changes to barbican and other projects to accept a TPM quote and use that to determine if someone was authorized to get a secret
20:29:58 <rellerreller> The TPM stuff is to add hooks to allow attestation protocols to run before releasing the keys.
20:30:29 <redrobot> I see...  OK, I'll ping Malini about that
20:30:47 <rellerreller> It runs the Open Attestation protocol to get a TPM quote and then verifies it. In theory it can do more than just a TPM quote, but that is all in the first release.
20:30:53 <redrobot> #action redrobot to contact Malini to figure out the loctaion of TPM work
20:30:54 <alee> my guess is that this involves some kind of middleware module that that runs before barbican - and it would also tie in neatly with the per-secret acls.
20:31:05 <hyakuhei> Interested in the TPM work too
20:32:25 <alee> redrobot, on my flight home, I did run into some O-O-O folks interested in using barbican to get certs.  I'll see if I can follow up with them.
20:32:35 <alee> also the Sahara folks.
20:33:06 <alee> are there any other missing specs?
20:33:11 <redrobot> alee nice.
20:33:45 <redrobot> alee looking at https://etherpad.openstack.org/p/barbican-kilo-roadmap to see if we missed anything
20:34:23 <redrobot> Ah yes, the Tenant->Secret association.
20:34:40 <alee> redrobot, yeah - we agreed to axe it.
20:34:53 <redrobot> I think woodster wanted to tackle that
20:35:02 <redrobot> will ping him about that when he comes back next week
20:35:06 <alee> redrobot, ok
20:35:34 <redrobot> Also, we still need a name for the KeyManager repo
20:35:45 <alee> whats a spike?
20:35:54 <hyakuhei> I thought keymanager was moving into barbican-client?
20:36:15 <redrobot> alee short for Research Spike... basically spend some time to research and figure out best course of action.
20:36:32 <tkelsey> alee I only know a spike in the context of scrum
20:36:48 <redrobot> hyakuhei the implementation will be in barbicanclient.  The interface will live in its own repo though.
20:37:05 <redrobot> hyakuhei that way people not using barbican don't have to take on the barbicanclient dependency
20:37:25 <hyakuhei> Righto, makes sense.
20:37:35 <alee> ok - we discussed also a generic discovery api with json schema
20:38:04 <alee> with barbican-core doing validation based on that schema -- that needs investigation
20:38:13 <alee> and blueprints/specs
20:40:16 <alee> tkelsey, being a former physicist, I only know of spikes in the context of dirac delta functions ..
20:40:27 <jaosorior> you mean discovery such as in keystone?
20:41:01 <redrobot> jaosorior the idea was to have an API that will let you discover how many CAs can provision certificates for a particular Barbican instance
20:41:07 <alee> jaosorior, discovery as in presenting which algorithms , bit lengths etc. a plugin supports
20:41:19 <jaosorior> alright
20:41:29 <redrobot> jaosorior and also discover properties about that CA, like whether it's internal or global, etc.
20:41:30 <tkelsey> alee sounds much more interesting. In scrum a spike is a research task with no actual deliverable other than learning
20:42:31 <alee> redrobot, there are two discovery ideas here - one on which ca's are avilabale  --
20:42:43 <alee> and one on which algorithms, patramters etc. are needed
20:43:02 <alee> redrobot, ca-discovery has been approved and has a spec ..
20:43:24 <alee> https://review.openstack.org/129048
20:43:33 <alee> (which needs more reviewers)
20:44:19 <alee> redrobot, general capability discovery needs a spec for secret stroe type functions, but also has a spec for ca type functions
20:44:42 <hyakuhei> I'll take a look at the spec
20:44:45 <alee> https://review.openstack.org/129377
20:44:53 <alee> hyakuhei, cool thanks
20:45:56 * redrobot needs to lock himself in a room and just review specs for a couple of days
20:46:04 <hyakuhei> +1000
20:46:07 <hyakuhei> Need more days.
20:46:40 <alee> redrobot, excellent idea :)
20:46:41 <tkelsey> lol
20:50:17 <redrobot> yep, lots of work to do guys... Our folks should start trickling back from the Summit over the next few days
20:50:26 <redrobot> I'll get my cattle prod ready and see if I can get them to review specs
20:51:09 <redrobot> I think we have enough todos to keep us busy until next week.
20:51:13 <hyakuhei> redrobot: email me anything you want reviewing as a priority and I'll weild my might +/-1 ...
20:51:15 <redrobot> Any last minute comments/concerns?
20:51:24 <hyakuhei> *mighty
20:52:09 <redrobot> hyakuhei thanks!  will do.
20:52:19 <hyakuhei> So it might be worth flagging up the swift encryption stuff
20:52:34 <hyakuhei> As not directly barbican, lots of learned people here might have opinions on it
20:52:45 <hyakuhei> Not that it's short of opinions already...
20:52:52 <redrobot> hyakuhei true, do you have any links handy?
20:52:53 <hyakuhei> #link https://review.openstack.org/#/c/123220/
20:53:42 <redrobot> hyakuhei thanks
20:53:53 <hyakuhei> np
20:56:10 <redrobot> Alrighty guys, thanks for coming to the meeting.  See you all next week.
20:56:47 <redrobot> #endmeeting