#openstack-meeting-alt log

16:59:50 <hyakuhei> #startmeeting Security
16:59:51 <openstack> Meeting started Thu Jan 19 16:59:50 2017 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:54 <openstack> The meeting name has been set to 'security'
16:59:59 <hyakuhei> Ooops, 7 seconds early.
17:00:03 <lhinds> hey!
17:00:08 <hyakuhei> Hey lhinds !
17:00:11 <lhinds> hi hyakuhei
17:00:26 <hyakuhei> Nice to see you!
17:00:39 <lhinds> happy new year (I was off for awhile)
17:00:42 <hyakuhei> Lets wait a moment or two for others to roll in
17:00:48 <hyakuhei> To you too :)
17:01:45 <knangia> O/
17:01:51 <rarora> hi
17:01:52 <capnoday> o/
17:01:58 <lhinds> o/
17:02:01 <hyakuhei> o/ hey guys
17:02:05 <sigmavirus> o/
17:02:11 <hyakuhei> As you know we're looking to run a tight, 30 minute meeting
17:02:16 <sicarie> o/
17:02:24 <hyakuhei> sicarie too! sweet
17:02:32 <michaelxin> o/
17:02:46 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda security agenda for this week
17:03:03 <hyakuhei> Please feel free to add things to that and we'll try to fit everything in
17:03:09 <hyakuhei> hi tkelseym michaelxin
17:03:12 <hyakuhei> tkelsey
17:03:13 <tkelsey> o/
17:03:19 <tkelsey> sorry im late
17:03:26 <michaelxin> hyakuhei hi
17:03:28 <hyakuhei> Righto, moving swiftly to the first item
17:03:33 <hyakuhei> #topic PTL
17:03:55 <hyakuhei> The elections are this coming week, similar format as before I think (i.e Gerrit + ML announcement)
17:04:19 <hyakuhei> I will be standing for PTL after I secured time to spend on OpenStack PTL things from my mgmt
17:04:36 <capnoday> great!
17:04:38 <michaelxin> cool
17:04:41 <michaelxin> Thanks
17:04:54 <hyakuhei> I also encourage others to stand, new blood and all that :)
17:04:55 <capnoday> anyone else want to run? michaelxin lhinds sicarie sigmavirus?
17:04:56 <redrobot> o/
17:05:04 <hyakuhei> omg redrobot hai!
17:05:09 <sigmavirus> Why do people keep volunteering me to run for PTL or TC?
17:05:10 <hyakuhei> Just talking PTL things
17:05:15 <capnoday> redrobot! fancy running or PTL
17:05:19 <hyakuhei> sigmavirus you seem to know all the things.
17:05:20 <michaelxin> haha
17:05:29 <lhinds> i think on a later cycle maybe
17:05:35 <sigmavirus> hyakuhei: but I have none of the time ;)
17:05:43 <lhinds> happy hyakuhei is going forward for now
17:05:44 <sigmavirus> And I'm a master of illusion
17:05:55 <redrobot> capnoday nay...  unless hyakuhei is retiring, then... maybe?
17:05:57 <hyakuhei> Ok, the PTL info isn't always the easiest to find, let me know if you're interested and I'll hook you up with the relevant stuff.
17:06:05 <hyakuhei> redrobot not this time around ;)
17:06:24 <hyakuhei> Any questions on PTL things before we move on?
17:06:37 <hyakuhei> (Other than capnoday trying to replace me with pretty much anyone...)
17:06:40 <sicarie> nope, good luck!
17:06:45 <hyakuhei> cheers
17:06:54 <hyakuhei> Right, next up is the PTG - not far away now
17:06:56 <hyakuhei> #topic PTG
17:07:10 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team
17:07:14 <sigmavirus> hyakuhei: I think capnoday wants healthy competition =P
17:07:16 <redrobot> I've got my fingers crossed that I'll get to go...
17:07:51 <hyakuhei> As we discussed at length previously, resources are tight and we don't have a huge number of people going. That doesn't mean others can't contribute remotely though.
17:08:24 <hyakuhei> Interesting topic just been added there re: Barbican/Vault
17:09:11 <hyakuhei> My expectation is that it may be easier to have a Barbican plugin for Vault, similar to the KMIP plugin that doesn't do anything clever with MKEK etc, just uses Vault as it's store.
17:09:11 <redrobot> yeah, my use case has changed from wanting to run a global hsm-backed barbican deployment to runnin many software-based small barbican deployments.
17:09:19 <hyakuhei> Hah
17:09:23 <hyakuhei> who knew that would happen....
17:09:27 * hyakuhei hides.
17:09:40 <redrobot> so I did spend some time looking into the wiring
17:09:50 <capnoday> hahaha
17:09:53 <redrobot> the tricky part is mapping Keystone tokens to Vault tokens
17:10:01 <hyakuhei> I suspect the number of people who care about secrets greatly outnumbers those with HSMs
17:10:17 <capnoday> cant they just deploy dogtag?
17:10:20 <sigmavirus> redrobot: perhaps there's a need for vault to learn about keystone tokens?
17:10:29 <sigmavirus> capnoday: I've been informed that dogtag is quite difficult
17:10:39 <sigmavirus> I never got to that point of a PoC for my team though
17:10:41 <hyakuhei> sigmavirus I don't think they're accepting contributions for the AuthN magic at the moment
17:10:48 <hyakuhei> Might have changed though
17:10:49 <redrobot> sigmavirus that's one option... but I still think it may be easier to avoid Vault altogether
17:11:04 <hyakuhei> Anyway, lets push Vault to the back of the queue for a moment
17:11:11 <hyakuhei> Keeping in mind the meeting length
17:11:14 <redrobot> ie, take the Simple Crypto plugin and add an API call to provide the encryption key at runtime instead of having it in the conf file
17:11:20 <hyakuhei> So good to have on the PTG topic list
17:11:23 <hyakuhei> sssh redrobot
17:11:28 <redrobot> lol
17:11:29 * sigmavirus chuckles
17:11:34 <hyakuhei> #topic Naughty words
17:11:37 <redrobot> yeah, should be a fun discussion at the PTG
17:11:44 <redrobot> poop!
17:11:47 <redrobot> doodoo
17:11:49 <hyakuhei> This might be interesting to the Syntribos folks
17:11:50 <hyakuhei> #link https://github.com/minimaxir/big-list-of-naughty-strings
17:12:04 <hyakuhei> I made a note to bring that up, now I have
17:12:07 <hyakuhei> :)
17:12:20 <hyakuhei> unrahul michaelxin knangia ^^^
17:12:34 <hyakuhei> Some potentially useful stuff there I'm sure
17:12:37 <michaelxin> We saw it. Thakns.
17:12:42 <redrobot> (btw, I mostly came here today to remind hyakuhei to submit his PTL candidacy so we don't get yelled at by the TC again)
17:12:43 <knangia> thanks !
17:12:47 <hyakuhei> Figured as much
17:12:52 <hyakuhei> redrobot thanks bro!
17:12:59 <hyakuhei> #topic OSSN
17:13:01 <michaelxin> redrobot: +1
17:13:09 <hyakuhei> lhinds welcome back from holiday, what's going on with OSSN ?
17:13:20 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:13:28 <hyakuhei> So I see three in there. All private.
17:13:35 <lhinds> so we have two privates, with authors of hyakuhei and tmcpeak
17:13:42 <lhinds> yours is very close hyakuhei
17:14:01 <lhinds> you just need to look at comment #22 and we should be able to get that out
17:14:03 <hyakuhei> It's interesting that we have so many private these days, I think because we are being used as a catch-all for the VMT where a project isn't supported by them.
17:14:11 <sigmavirus> lhinds: if you need help, let me know. I see two on that list and have context on them
17:14:17 <lhinds> I will catch up with tmcpeak when I next see him online
17:14:46 <lhinds> sure sigmavirus , you could take the one to tmcpeak if you like?
17:15:13 <sigmavirus> Oh I wasn't volunteering to write one =P but if tmcpeak needs me to, I can take it over
17:15:29 <sigmavirus> I need to read how to do an OSSN on a private issue
17:16:06 <lhinds> I will try and catch him (he might be PTO), and see where he is.
17:16:35 <lhinds> and its likely to be public soon too.
17:17:01 <sigmavirus> Okay
17:17:01 <hyakuhei> I'll update that OSSN assigned to me in the 30 minutes I get back from this shorter meeting
17:17:09 <hyakuhei> Anything else lhinds ?
17:17:09 <lhinds> thats it for notes. the other thing is I am getting in touch with infra about hosting the OSSN web / api.
17:17:14 <lhinds> nice thanks hyakuhei
17:17:17 <lhinds> thats it for notes
17:17:22 <hyakuhei> Cool
17:17:25 <hyakuhei> Then we're onto AOB
17:17:33 <hyakuhei> #topic Any Other Business
17:17:48 <hyakuhei> Anything you want to bring up? Discuss Vault some more redrobot ? etc?
17:18:20 <redrobot> I'm sure y'all saw the huge Barbican thread on the ML
17:18:32 <sigmavirus> redrobot: you're welcome and I'm sorry
17:18:44 <redrobot> looks like the TC will be considering what the base "secrets vault" will be
17:18:50 <hyakuhei> Yeah that was interesting
17:19:02 <redrobot> so it looks like we will be going through the incubation ringer again
17:19:11 <sigmavirus> On the bright side, Glare is no longer publicly planning to be a secrets store
17:19:15 <hyakuhei> Though it did get somewhat clobbered by the whole "big tent bad" thing
17:19:32 <sigmavirus> hyakuhei: yeah, people on the ML do that to any thread they can
17:19:38 <redrobot> yeah, there were some valid concerns like keystone token scope not being narrow enough
17:19:42 <sigmavirus> always the same persons too
17:20:21 <redrobot> so, it sounds like we'll have to make the case that barbican is secure to the Arch Working Group
17:20:33 <redrobot> and they'll compare it to Vault and Keewhiz and whetever else
17:20:46 <capnoday> secure and useful?
17:20:57 <redrobot> I'm a little concerned because they could also kill Barbican altogether
17:20:57 <hyakuhei> For software only crypto, it isn't comparable today imho
17:21:04 <redrobot> hyakuhei +!
17:21:07 <redrobot> err +1
17:21:24 <redrobot> yeah, which is why I think that improving Simple Crypto plugin will be important
17:21:29 <hyakuhei> +1
17:21:50 <dave-mccowan> sigmavirus also on barbican: i've submitted patches to get tags for stable-branch, standard-deprecation, and vmt-managed.  all are still in review.  thanks for bringing that up on the ML.
17:22:01 <sigmavirus> dave-mccowan: ++
17:22:11 <hyakuhei> dave-mccowan good stuff
17:22:31 <sigmavirus> I was about to start a thread on the ML about why the project navigator is developed on GitHub
17:22:34 <redrobot> I think a Vault plugin would be valuable, but only to folks who already have vault
17:22:39 <sigmavirus> but decided two ranty threads a week was my limit
17:22:41 <redrobot> for someone with no existing KMS running both Vault AND Barbican seem like too much overhead
17:22:55 <sigmavirus> redrobot: agreed
17:23:16 <hyakuhei> So instead of using a well audited soft-hsm we're going to build one ourselves?
17:23:23 <hyakuhei> Certainly sounds like the OpenStack way...
17:23:30 <redrobot> lol
17:23:41 <sigmavirus> hyakuhei: absolutely
17:23:42 <redrobot> the alternative is to abandon Barbican altogheter. :(
17:23:59 <redrobot> and just build a Vault auth plugin for Keystone
17:24:03 <hyakuhei> I don't think anyone wants taht
17:24:05 <hyakuhei> *that
17:24:42 <redrobot> I also explored using SoftHSM with our existing PKCS#11 plugin https://www.opendnssec.org/softhsm/
17:25:00 <redrobot> but it's not scalable
17:25:18 <redrobot> or at least it wasn't ovious to me how we could scale it.
17:25:50 <sigmavirus> mhayden: have you ever seen softhsm?
17:26:03 <hyakuhei> Interesting. This certainly sounds like a good thing to spend time on at the PTG
17:26:08 * sigmavirus wonders if mhayden knows someone or has cycles
17:26:59 <redrobot> yup...  also thinking that a Vault vs Barbican prezo in Boston would be a good thing to hvae
17:27:04 <redrobot> *have
17:27:15 <hyakuhei> It does kinda look like it might be less work to extend Vault's AppRole scheme than build a new SoftHSM. However, I'm happy to be involved in either .
17:28:00 <capnoday> I am very against building a new softhsm unless absolutely necessary. I would even consider posting on the mailing list to say so!
17:28:02 <hyakuhei> ok, last couple of minutes.
17:28:56 <hyakuhei> Useful meeting all, it seems like we can wrap it here :) thanks!
17:29:11 <redrobot> capnoday so you're arguing for asking operators to run 2 services to run barbican.  :-\
17:29:34 <redrobot> kk, see y'all next time friends!
17:29:46 <capnoday> redrobot lets talk more on this next time/offline
17:30:00 <hyakuhei> #endmeeting