Wednesday, 2014-11-19

*** david-lyle is now known as david-lyle_afk		00:06
*** jorge_munoz has left #openstack-barbican		00:09
*** kebray has joined #openstack-barbican		00:13
*** liam_ has joined #openstack-barbican		00:25
*** liam_ is now known as Guest50977		00:25
*** Guest50977 has quit IRC		00:26
*** stanzi has joined #openstack-barbican		00:34
*** stanzi has quit IRC		00:38
*** ayoung has quit IRC		01:09
*** nkinder has joined #openstack-barbican		01:09
*** jorge_munoz has joined #openstack-barbican		01:39
*** gyee has quit IRC		01:40
*** jorge_munoz has quit IRC		01:42
*** jorge_munoz has joined #openstack-barbican		01:42
*** jorge_munoz has quit IRC		01:44
*** kebray has quit IRC		01:45
*** zz_dimtruck is now known as dimtruck		01:55
*** ayoung has joined #openstack-barbican		02:05
*** bdpayne_ has quit IRC		02:07
*** dave-mccowan has joined #openstack-barbican		02:28
*** ryanpetrello has quit IRC		02:32
*** ryanpetrello has joined #openstack-barbican		02:34
*** dave-mccowan has quit IRC		02:35
*** dave-mccowan has joined #openstack-barbican		02:37
*** woodster_ has quit IRC		02:40
*** dave-mccowan has quit IRC		02:50
openstackgerrit	Ade Lee proposed openstack/barbican-specs: Add Cert API Spec. https://review.openstack.org/135490	02:51
*** bdpayne has joined #openstack-barbican		02:55
*** bdpayne has quit IRC		03:04
*** miqui has joined #openstack-barbican		03:07
miqui	newbie question: can i run barbican standalone?	03:08
miqui	..thanks in adv..	03:08
rm_you	miqui: yes	03:09
miqui	rm_you: ...cool.. thanks	03:10
rm_you	I believe it is as easy as:	03:10
miqui	most use it as part of openstack... or as a standalone component...	03:10
rm_you	python setup install	03:11
miqui	cool.. great...	03:11
rm_you	though there is also a script in bin/ that is like "barbican-install.sh" I think	03:11
miqui	...thanks i will check it out...	03:11
rm_you	which will install the deps and run the tests and then run the app	03:11
rm_you	np	03:11
miqui	once i learn a little more about it, might start to contrib...	03:11
miqui	perhaps i could start with just reviews...	03:11
rm_you	reading reviews can be a good way to get started, but it can also be hard to make sense of them at first :)	03:12
miqui	hmmm yeah ..that is one drawback...	03:12
rm_you	I started by having a thing I needed to patch, and just diving in and trying to swim :P	03:12
miqui	..and no life jackets....	03:13
miqui	...thanks rm_you	03:13
rm_you	yeah no problem, good luck!	03:14
rm_you	this is the off time for most contributors, so I don't know your timezone but there is much more activity here between like 10:00 - 18:00 CST	03:15
*** ryanpetrello has quit IRC		03:20
*** ryanpetrello has joined #openstack-barbican		03:22
*** jorge_munoz has joined #openstack-barbican		03:49
*** jorge_munoz has quit IRC		03:50
*** jorge_munoz has joined #openstack-barbican		03:58
*** jorge_munoz has quit IRC		04:00
*** jorge_munoz has joined #openstack-barbican		04:12
*** ayoung is now known as ayoung-ZZZzzzZzz		04:13
*** jorge_munoz has quit IRC		04:15
*** ryanpetrello has quit IRC		04:54
*** jorge_munoz has joined #openstack-barbican		05:00
*** dimtruck is now known as zz_dimtruck		05:01
*** jorge_munoz has quit IRC		05:04
*** miqui has quit IRC		05:44
*** david-lyle_afk has quit IRC		06:12
*** Nirupama has joined #openstack-barbican		08:28
*** hyakuhei has quit IRC		09:26
*** jamielennox is now known as jamielennox\|away		09:41
*** hyakuhei has joined #openstack-barbican		10:04
openstackgerrit	Tim Kelsey proposed openstack/barbican: Adding client certificates to connection credentials https://review.openstack.org/135217	12:05
*** jaosorior has joined #openstack-barbican		13:12
*** rellerreller has joined #openstack-barbican		13:28
rellerreller	alee_ ping	13:29
*** ayoung-ZZZzzzZzz is now known as ayoung		13:33
*** ryanpetrello has joined #openstack-barbican		13:48
*** zz_dimtruck is now known as dimtruck		13:53
alee_	rellerreller, yo	13:56
rellerreller	alee_ when you wrap the keys using the transport key how do you do that?	13:57
rellerreller	Are you just encrypting or signing too?	13:57
rellerreller	I'm working on the content types spec and am wondering what specs you are using to the transport key wrapping.	13:57
alee_	rellerreller, just encrypting iirc. let me get back to you -- need to joina meeting.	13:58
rellerreller	alee_ ok see you later	13:58
*** Nirupama has quit IRC		14:00
*** rellerreller has quit IRC		14:02
*** dimtruck is now known as zz_dimtruck		14:03
*** woodster_ has joined #openstack-barbican		14:17
*** openstackgerrit has quit IRC		14:33
*** openstackgerrit has joined #openstack-barbican		14:34
*** stanzi has joined #openstack-barbican		14:35
*** dave-mccowan has joined #openstack-barbican		14:37
*** dave-mccowan_ has joined #openstack-barbican		14:39
*** dave-mccowan has quit IRC		14:42
*** dave-mccowan_ is now known as dave-mccowan		14:42
*** tdink has joined #openstack-barbican		14:42
*** akoneru has joined #openstack-barbican		14:46
*** openstackgerrit has quit IRC		14:49
*** akoneru has quit IRC		14:49
*** rellerreller has joined #openstack-barbican		14:49
*** akoneru has joined #openstack-barbican		14:49
*** openstackgerrit has joined #openstack-barbican		14:49
*** paul_glass has joined #openstack-barbican		14:50
*** stanzi has quit IRC		14:51
*** stanzi has joined #openstack-barbican		14:52
alee_	rellerreller, ping	15:15
rellerreller	alee_ pong	15:15
alee_	rellerreller, so what we're doing is generating a symmetric key -- wrapping that symmetric key with the traqnsport key - and then wrapping the data with the symmetric key	15:16
rellerreller	alee_ How are you wrapping things?	15:16
alee_	rellerreller, we allow you to choose the parameters for the symmetric key wrapping - though in practice it looks like dogtag is expecting des3_cbc_pad	15:17
alee_	(with the client also sending over a random IV)	15:17
rellerreller	OK, so the blob is simply the bytes of the encrypted data using des3_cbc_pad?	15:18
*** stanzi has quit IRC		15:18
rellerreller	alee_ So there are two blobs. One is the request (from client to server) that contains symmetric key and IV. The other is the response and this contains the encrypted data. Correct?	15:19
alee_	well the blob consists of an asn1 structure that includes 1) the wrapped session key 2) the data wrapped with the session key 3) wrapping parameters like the IV	15:19
rellerreller	Can you point me to documentation on those structures and the encoding?	15:20
alee_	rellerreller, yeah -- getting the rfc up -- it will be whats in crmf	15:21
alee_	rellerreller, http://tools.ietf.org/html/rfc2511 section 6.4 (Archive Options Control()	15:21
*** JeffF has joined #openstack-barbican		15:21
rellerreller	alee_ Thanks!	15:22
alee_	rellerreller, btw - please review the cert api spec I put up yesterday as well as some of the cert ones already out there.	15:23
alee_	rellerreller, would like to start wrapping those up soon.	15:23
rellerreller	alee_ OK, that will be tough today. I will try for tomorrow or Friday.	15:24
alee_	sure thanks	15:28
*** rellerreller has quit IRC		16:01
*** liam_ has joined #openstack-barbican		16:04
*** liam_ is now known as Guest9691		16:04
*** Guest9691 has quit IRC		16:05
*** kebray has joined #openstack-barbican		16:08
*** dave-mccowan has quit IRC		16:12
*** atiwari has joined #openstack-barbican		16:15
*** dave-mccowan has joined #openstack-barbican		16:26
openstackgerrit	Merged openstack/barbican: Moved secret functional tests to data driven tests https://review.openstack.org/135089	16:31
*** ametts has joined #openstack-barbican		16:32
*** stanzi has joined #openstack-barbican		16:36
*** stanzi has quit IRC		16:37
*** stanzi has joined #openstack-barbican		16:37
*** stanzi has quit IRC		16:45
*** gyee has joined #openstack-barbican		16:45
*** stanzi has joined #openstack-barbican		16:50
*** stanzi has quit IRC		16:53
*** jaosorior has quit IRC		16:53
*** stanzi has joined #openstack-barbican		16:53
openstackgerrit	Douglas Mendizábal proposed openstack/python-barbicanclient: Add Usage documentation https://review.openstack.org/135342	17:03
redrobot	pykmip is on its way to merging into global requirements :) https://review.openstack.org/#/c/114037/	17:04
*** stanzi has quit IRC		17:07
*** stanzi has joined #openstack-barbican		17:08
*** stanzi_ has joined #openstack-barbican		17:19
*** stanzi has quit IRC		17:22
*** stanzi has joined #openstack-barbican		17:26
*** stanzi_ has quit IRC		17:29
*** stanzi has quit IRC		17:30
*** stanzi has joined #openstack-barbican		17:31
*** stanzi has quit IRC		17:46
*** stanzi has joined #openstack-barbican		17:52
*** stanzi has quit IRC		17:54
*** stanzi has joined #openstack-barbican		17:55
*** stanzi_ has joined #openstack-barbican		17:56
*** stanzi has quit IRC		17:57
*** stanzi_ has quit IRC		17:57
*** stanzi has joined #openstack-barbican		17:57
*** stanzi_ has joined #openstack-barbican		17:59
*** stanzi has quit IRC		18:00
*** paul_glass has quit IRC		18:00
*** kebray has quit IRC		18:02
*** stanzi_ has quit IRC		18:09
*** stanzi has joined #openstack-barbican		18:10
*** stanzi_ has joined #openstack-barbican		18:11
*** stanzi has quit IRC		18:11
*** stanzi has joined #openstack-barbican		18:12
*** stanzi_ has quit IRC		18:12
*** stanzi has quit IRC		18:14
*** stanzi has joined #openstack-barbican		18:14
*** akoneru has quit IRC		18:18
*** stanzi has quit IRC		18:22
*** stanzi has joined #openstack-barbican		18:23
*** stanzi has quit IRC		18:24
*** stanzi has joined #openstack-barbican		18:25
*** jaosorior has joined #openstack-barbican		18:25
*** stanzi_ has joined #openstack-barbican		18:26
*** dave-mccowan has quit IRC		18:27
*** stanzi__ has joined #openstack-barbican		18:27
*** stanzi__ has quit IRC		18:28
*** stanzi__ has joined #openstack-barbican		18:28
*** stanzi has quit IRC		18:29
*** stanzi__ has quit IRC		18:29
*** stanzi has joined #openstack-barbican		18:29
*** stanzi_ has quit IRC		18:30
*** stanzi has quit IRC		18:30
*** stanzi has joined #openstack-barbican		18:31
*** stanzi has quit IRC		18:32
*** stanzi_ has joined #openstack-barbican		18:33
*** stanzi__ has joined #openstack-barbican		18:34
*** stanzi__ has quit IRC		18:34
*** stanzi__ has joined #openstack-barbican		18:35
*** stanzi_ has quit IRC		18:35
*** stanzi__ has quit IRC		18:35
*** stanzi has joined #openstack-barbican		18:36
*** david-lyle has joined #openstack-barbican		18:40
*** dave-mccowan has joined #openstack-barbican		18:41
*** dave-mccowan_ has joined #openstack-barbican		18:44
*** dave-mccowan has quit IRC		18:45
*** dave-mccowan_ is now known as dave-mccowan		18:45
*** stanzi has quit IRC		18:49
*** stanzi has joined #openstack-barbican		18:50
*** stanzi_ has joined #openstack-barbican		18:51
*** stanzi has quit IRC		18:51
*** stanzi has joined #openstack-barbican		18:52
*** stanzi_ has quit IRC		18:52
*** tdink has quit IRC		18:53
*** stanzi has quit IRC		18:53
*** stanzi_ has joined #openstack-barbican		18:54
*** stanzi_ has quit IRC		18:54
*** stanzi has joined #openstack-barbican		18:55
*** stanzi has quit IRC		18:56
*** stanzi has joined #openstack-barbican		18:56
*** tdink has joined #openstack-barbican		18:57
*** stanzi has quit IRC		18:57
*** stanzi has joined #openstack-barbican		18:57
*** stanzi has quit IRC		18:58
*** stanzi_ has joined #openstack-barbican		19:01
*** stanzi_ has quit IRC		19:02
*** stanzi_ has joined #openstack-barbican		19:02
*** stanzi_ has quit IRC		19:03
*** stanzi has joined #openstack-barbican		19:04
*** jorge_munoz has joined #openstack-barbican		19:04
*** paul_glass has joined #openstack-barbican		19:06
*** stanzi_ has joined #openstack-barbican		19:06
*** stanzi_ has quit IRC		19:07
*** tdink has quit IRC		19:07
*** stanzi has quit IRC		19:07
*** zz_dimtruck is now known as dimtruck		19:07
*** stanzi_ has joined #openstack-barbican		19:07
*** stanzi_ has quit IRC		19:08
*** stanzi has joined #openstack-barbican		19:09
*** stanzi has quit IRC		19:09
*** stanzi has joined #openstack-barbican		19:10
*** stanzi has quit IRC		19:11
*** stanzi has joined #openstack-barbican		19:11
*** stanzi has quit IRC		19:12
*** stanzi has joined #openstack-barbican		19:12
*** stanzi has quit IRC		19:13
*** stanzi has joined #openstack-barbican		19:13
*** stanzi has quit IRC		19:14
*** stanzi has joined #openstack-barbican		19:15
*** ryanpetrello_ has joined #openstack-barbican		19:15
*** stanzi_ has joined #openstack-barbican		19:16
*** dimtruck is now known as zz_dimtruck		19:17
*** kebray has joined #openstack-barbican		19:17
*** ryanpetrello has quit IRC		19:17
*** ryanpetrello_ is now known as ryanpetrello		19:17
*** stanzi__ has joined #openstack-barbican		19:17
*** stanzi_ has quit IRC		19:17
*** stanzi__ has quit IRC		19:18
*** stanzi has quit IRC		19:18
*** jorge_munoz has quit IRC		19:18
*** stanzi has joined #openstack-barbican		19:18
*** jorge_munoz has joined #openstack-barbican		19:19
*** stanzi has quit IRC		19:19
*** stanzi has joined #openstack-barbican		19:19
*** stanzi has quit IRC		19:20
*** stanzi has joined #openstack-barbican		19:21
*** stanzi has quit IRC		19:21
*** stanzi has joined #openstack-barbican		19:22
*** stanzi has quit IRC		19:23
*** stanzi has joined #openstack-barbican		19:23
*** stanzi has quit IRC		19:24
*** stanzi has joined #openstack-barbican		19:24
*** stanzi has quit IRC		19:25
*** stanzi_ has joined #openstack-barbican		19:25
*** stanzi_ has quit IRC		19:32
*** stanzi has joined #openstack-barbican		19:32
woodster_	atiwari, I responded to your comment on https://review.openstack.org/#/c/135158, please let me know if that is what you were referring to though....	19:33
*** zz_dimtruck is now known as dimtruck		19:38
jaosorior	woodster_: I commented on that spec, what do you think?	19:38
*** tdink has joined #openstack-barbican		19:39
atiwari	woodster_, thanks, I am good now.	19:39
*** paul_glass has quit IRC		19:40
woodster_	jaosorior, atiwari, redrobot, yeah I just workflow -1-ed that CR...questioning if we even need a Tenant entity anymore. If we will handle all access via access control lists on secrets/containers/orders, then why is a tenant association even needed?	19:41
*** JeffF has quit IRC		19:41
*** JeffF has joined #openstack-barbican		19:41
jaosorior	you have a point	19:42
jaosorior	but I guess it would depend on the implementation of the ACLs	19:42
*** kebray has quit IRC		19:43
*** paul_glass has joined #openstack-barbican		19:43
atiwari	woodster_, as suggested we can have the tenant_id (the woning one) in the ACL's default white list	19:43
*** kebray has joined #openstack-barbican		19:44
atiwari	that way we don't have to make any change in the secret model but we have to remove the tenant_id from Orders and Containers later.	19:45
*** rtom has joined #openstack-barbican		19:46
*** dimtruck is now known as zz_dimtruck		19:47
chellygel	alee_, im doing some research into this CMC stuff -- which CAs do you know that are accepting cmc?	19:51
chellygel	i know dogtag does, i have seen the docs	19:51
chellygel	windows -- also, right?	19:51
alee_	chellygel, yup	19:54
chellygel	any others?	19:55
alee_	chellygel, I would be very surprised if symantec didn't. certainly they support simple cmc -- which is just pkcs10	19:55
chellygel	i sent an email off to our contact there alee_ . i mean CSRs sure	19:55
alee_	chellygel, but you ave the api docs	19:55
chellygel	alee_, its not necessarily the source of truth for everything	19:56
*** darrenmoffat has quit IRC		19:56
*** darrenmoffat has joined #openstack-barbican		19:56
chellygel	even the API only expects the CSR	19:56
alee_	well that will get you most of the way	19:59
chellygel	so a CSR is required for part of the CMC? alee_ ?	20:06
chellygel	or is there something in addition to that?	20:06
alee_	chellygel, simple cmc is the same as a PKCS10 Certfication Request	20:08
alee_	(which is a CSR)	20:08
alee_	chellygel, https://tools.ietf.org/html/rfc5272#section-3.2 for specification of a full cmc request	20:09
*** david-lyle is now known as david-lyle_afk		20:10
*** stanzi has quit IRC		20:13
*** jorge_munoz has quit IRC		20:16
*** jorge_munoz has joined #openstack-barbican		20:18
woodster_	atiwari, jaosorior, agreed about the tenant_id in the white list by default	20:23
openstackgerrit	Merged openstack/python-barbicanclient: Add Usage documentation https://review.openstack.org/135342	20:34
rm_work	reaperhulk: hey, at some point I'd like to walk through our LBaaS TLS security workflow with you -- need some feedback from people with good security experience	20:35
reaperhulk	rm_work: I can give you time tomorrow, how does 2pm central sound?	20:38
reaperhulk	that comma should be a semicolon or somethin'	20:38
rm_work	reaperhulk: heh, should work, are you going to be at the castle?	20:46
reaperhulk	No I am on an island, but we can hop on vidyo if you'd like	20:46
rm_work	heh	20:46
reaperhulk	otherwise we can just talk it through on IRC	20:46
rm_work	was wondering if you were currently off galavanting about	20:47
rm_work	I have some diagrams, IRC should be ok I think	20:47
reaperhulk	okay, sounds good	20:51
rm_work	reaperhulk: sent you a meeting invite so I don't lose track of it :)	21:11
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/135243	21:11
*** tdink has quit IRC		21:23
*** paul_glass has quit IRC		21:24
*** tdink has joined #openstack-barbican		21:25
*** jorge_munoz has quit IRC		21:25
*** gyee has quit IRC		21:26
*** jorge_munoz has joined #openstack-barbican		21:26
openstackgerrit	Steve Heyman proposed openstack/barbican-specs: Add spec to support running functional tests as different users https://review.openstack.org/135724	21:32
*** paul_glass has joined #openstack-barbican		21:36
hockeynut	quick link to the pretty version of the spec: http://docs-draft.openstack.org/24/135724/1/check/gate-barbican-specs-docs/3b51073/doc/build/html/specs/kilo/add-run-as-for-functional-tests.html	21:42
*** jamielennox\|away is now known as jamielennox		21:54
*** paul_glass has quit IRC		21:58
rm_work	hockeynut: wait what is that site	21:59
rm_work	how did you get that link	21:59
redrobot	rm_work you can click through on the "docs" job in Gerrit to go to the generated html	21:59
redrobot	rm_work works on a lot of stuff.	21:59
hockeynut	just followed the link to the built docs from the job	21:59
rm_work	ah	22:00
rm_work	ok	22:00
redrobot	rm_work approved specs end up here: http://specs.openstack.org/openstack/barbican-specs/	22:00
rm_work	because we built docs.octavia.io	22:00
rm_work	which apparently is the exact same thing	22:00
rm_work	because we wanted that	22:00
redrobot	rm_work weird.... infra has a lot of stuff in place for docs	22:00
rm_work	we don't have a docs gate job though T_T	22:00
redrobot	rm_work http://docs.openstack.org/developer/barbican/ for example	22:01
rm_work	yeah we wanted docs that were still in review	22:01
rm_work	which it looks like that does	22:01
redrobot	rm_work I just added the jobs for python-barbicanclient yesterday. https://review.openstack.org/#/c/135449/	22:01
*** rtom has quit IRC		22:07
*** openstackgerrit has quit IRC		22:10
*** openstackgerrit has joined #openstack-barbican		22:10
openstackgerrit	Douglas Mendizábal proposed openstack/barbican-specs: Remove Kilo placeholder file https://review.openstack.org/135744	22:18
*** ryanpetrello has quit IRC		22:39
*** david-lyle_afk is now known as david-lyle		22:50
*** tdink has quit IRC		22:51
*** tdink has joined #openstack-barbican		22:53
*** hockeynut_ has joined #openstack-barbican		22:56
*** hockeynut_ has quit IRC		23:01
*** tdink has quit IRC		23:02
openstackgerrit	Merged openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/135243	23:06
*** jaosorior has quit IRC		23:33
*** tdink_ has joined #openstack-barbican		23:35
openstackgerrit	Douglas Mendizábal proposed openstack/barbican-specs: Introduce the concept of an Active SecretStore https://review.openstack.org/135779	23:37
*** kebray has quit IRC		23:39
*** kebray has joined #openstack-barbican		23:39
*** tdink_ has quit IRC		23:46
*** tdink_ has joined #openstack-barbican		23:51
*** atiwari has quit IRC		23:55
openstackgerrit	Douglas Mendizábal proposed openstack/barbican-specs: Introduce the concept of an Active SecretStore https://review.openstack.org/135779	23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!