Monday, 2014-12-01

« Sunday, 2014-11-30 Index Tuesday, 2014-12-02 »
*** ryanpetrello has quit IRC00:13
*** woodster_ has quit IRC01:30
*** woodster_ has joined #openstack-barbican01:44
*** ryanpetrello has joined #openstack-barbican02:17
*** kebray has joined #openstack-barbican02:32
*** kebray has quit IRC02:41
*** ryanpetrello has quit IRC04:28
*** gnuoy has quit IRC05:00
*** usimha has joined #openstack-barbican05:43
*** usimha has quit IRC06:56
*** jamielennox is now known as jamielennox|away06:59
*** usimha has joined #openstack-barbican07:14
*** woodster_ has quit IRC09:00
*** openstackgerrit has quit IRC09:50
*** openstackgerrit has joined #openstack-barbican09:50
*** nkinder has quit IRC10:21
*** usimha has quit IRC11:40
*** usimha has joined #openstack-barbican11:40
*** ryanpetrello has joined #openstack-barbican12:40
*** ayoung has joined #openstack-barbican12:59
*** woodster_ has joined #openstack-barbican13:28
*** usimha has quit IRC13:38
*** usimha has joined #openstack-barbican13:47
*** jaosorior has joined #openstack-barbican14:12
*** alee has joined #openstack-barbican14:27
*** ametts has joined #openstack-barbican14:38
*** dave-mccowan has joined #openstack-barbican14:49
*** SheenaG1 has joined #openstack-barbican14:57
*** ryanpetrello has quit IRC15:02
openstackgerritThomas Dinkjian proposed openstack/barbican: Added smoke tests for consumers  https://review.openstack.org/13685915:12
*** ryanpetrello has joined #openstack-barbican15:15
openstackgerritThomas Dinkjian proposed openstack/barbican: Add functional tests for order  https://review.openstack.org/13615515:24
*** kgriffs|afk is now known as kgriffs15:36
*** woodster_ has quit IRC15:40
*** zz_dimtruck is now known as dimtruck15:41
*** jorge_munoz has joined #openstack-barbican15:45
*** rtom has joined #openstack-barbican15:51
*** paul_glass has joined #openstack-barbican15:51
*** JeffF has joined #openstack-barbican15:57
redrobotusimha hi, did you ever get your questions answered?15:57
*** atiwari has joined #openstack-barbican16:01
usimharedrobot: Yes, it did :)16:25
reaperhulkdstufft you awake? standup time16:33
*** usimha has quit IRC16:35
*** usimha has joined #openstack-barbican16:35
*** ryanpetrello_ has joined #openstack-barbican16:41
*** woodster_ has joined #openstack-barbican16:42
*** ryanpetrello has quit IRC16:43
*** ryanpetrello_ is now known as ryanpetrello16:43
*** atiwari has quit IRC16:43
openstackgerritMerged openstack/barbican-specs: Add Version Responses Consistent with Openstack  https://review.openstack.org/12580516:50
*** bubbva has joined #openstack-barbican17:35
*** codekobe_ is now known as codekobe17:41
*** jaosorior has quit IRC17:53
*** dave-mccowan has quit IRC17:58
*** rellerreller has joined #openstack-barbican18:14
*** gyee_ has joined #openstack-barbican18:17
*** bdpayne has joined #openstack-barbican18:18
*** tkelsey has joined #openstack-barbican18:25
*** dave-mccowan has joined #openstack-barbican18:27
*** gyee_ has quit IRC18:39
*** paul_glass has quit IRC18:42
*** gyee_ has joined #openstack-barbican18:42
*** tkelsey has quit IRC18:45
*** tkelsey has joined #openstack-barbican18:55
*** tkelsey has quit IRC19:00
*** kebray has joined #openstack-barbican19:09
*** paul_glass has joined #openstack-barbican19:11
*** tkelsey has joined #openstack-barbican19:15
*** atiwari has joined #openstack-barbican19:17
*** atiwari has quit IRC19:18
*** SheenaG1 has quit IRC19:21
*** rtom has quit IRC19:30
*** atiwari has joined #openstack-barbican19:36
*** SheenaG1 has joined #openstack-barbican19:48
*** SheenaG1 has quit IRC19:54
redrobotWeekly meeting starts in 5 minutes on #openstack-meeting-alt19:55
*** SheenaG1 has joined #openstack-barbican19:57
*** jaosorior has joined #openstack-barbican19:59
jaosorioris the meeting now or in an hour?19:59
redrobotjaosorior now19:59
jaosoriorthanks20:00
redrobotjaosorior I can send you an Outlook invite with the UTC time if it'll help :)20:00
*** rtom has joined #openstack-barbican20:02
*** hyakuhei has joined #openstack-barbican20:03
*** darrenmoffat has quit IRC20:08
*** kebray has quit IRC20:09
*** darrenmoffat has joined #openstack-barbican20:09
*** kebray has joined #openstack-barbican20:09
*** SheenaG1 has quit IRC20:31
*** SheenaG1 has joined #openstack-barbican20:32
*** SheenaG11 has joined #openstack-barbican20:34
*** kebray has quit IRC20:35
openstackgerritThomas Dinkjian proposed openstack/barbican: Add functional tests for order  https://review.openstack.org/13615520:36
*** SheenaG1 has quit IRC20:36
*** usimha has quit IRC20:37
hyakuheialee, reaperhulk - you guys around?20:53
*** kaitlin-farr has joined #openstack-barbican20:53
aleehyakuhei, yup20:53
hyakuheiWanted to borrow some of your smarts for a minute20:53
hyakuheiIt's anchor related, can I discuss that here or should we bounce to #openstack-security ?20:54
hyakuheiActually, it's kinda relevant to Barbican too, regarding certificate orders20:54
rm_workoo20:54
hyakuheiWe built anchor so that X.509v3 extensions come through in the CSR20:55
hyakuheirather than say, out of bound20:55
hyakuheiwhich is what spawned our requirement to patch m2crypto20:55
hyakuheiI know that _most_ other PKI systems don't do this. You provide the basic CSR and either ask for a specific 'profile' or provide extensions separately in the request (as with ADCS)20:56
reaperhulkI'm here20:56
hyakuheiI'm not sure which mode of operation we should support for this in Anchor moving forward. I like have everything in the CSR but I can see advantages in going the other way20:56
hyakuheiIf for no other reason that various certificate requesting *things* might be more likely to support that20:57
jaosoriorredrobot: sure20:57
hyakuheiHey reaperhulk: Basically, we _can_ put v3 extensions in CSR but should we?20:57
reaperhulkIf you're capable of trusting the CSR not to have something malicious (or you whitelist the set of acceptable extensions) that's an acceptable model IMO20:57
hyakuheiIt's where we've gone thus far20:58
reaperhulkHistorically the reason CAs stopped accepting extensions in the CSR was they got caught with their pants down blindly copying basicConstraints=CA:TRUE20:58
hyakuheiYeah an extension whitelist makes sense20:58
hyakuheiWe have some explicit rules to check things20:58
hyakuheiWe should be able to do per-group/domain rules too20:58
*** atiwari has quit IRC20:59
hyakuheiNot sure if certificate orders would be affected by this, have you discussed how extensions will be handled?20:59
reaperhulkI guess the question after that is, does the added flexibility of "per CSR extensions" really buy you much? Could you just define a set of profiles and just apply the rules against those? If so you simplify your code paths at the cost of needing some small structure to the request20:59
hyakuheiIn our system it's useful because the client doesn't really have a 'conversation' with the CA21:00
hyakuheiie to query whats available etc21:00
hyakuheiSo we like just firing a CSR at it21:00
aleehyakuhei, I had put together a proposed BP for the interface .. https://review.openstack.org/#/c/135490/21:01
hyakuheiI suppose more widely, Barbican is kinda bound by what CA's are doing and needs to take the extensions in metadata21:01
reaperhulkhyakuhei: I don't believe we've discussed handling extensions explicitly, but in barbican you'd select your CA so that plugin could do whatever it wants to do :)21:01
aleehyakuhei, and was thinking that the extensions would be in the csr.21:02
reaperhulkhyakuhei: Yes, although the actual APIs for that are under active discussion right now and alee is far more knowledgeable about that than I am21:02
hyakuheiYeah but you kinda need to be able to tell your client _how_ it should be providing the bits you want21:02
alee(or as part of the cmc request)21:02
hyakuheiI presume all CA plugins will have the same client facing contract21:02
*** crc32 has joined #openstack-barbican21:03
aleehyakuhei, right21:03
hyakuheiI'm ok with however it works in Barbican, just keeping a mind that I want Anchor to slot in behind Barbican easily21:03
hyakuheiAs I think it could work nicely as the testing/snakeoil CA21:03
aleehyakuhei, in the proposed BP, the client would interface wth barbican using cmc21:03
reaperhulkand CMC's base case is PKCS10 :)21:03
aleeyup21:03
reaperhulkso a CSR with embedded extensions is perfect for that21:04
rm_workhyakuhei: yeah, that is exactly what we need21:04
hyakuheialee: know any clients that talk CMC ?21:04
rm_workwell, something halfway between "snakeoil" and "fully authed"21:04
hyakuheirm_work: sure21:04
hyakuheiI was being breif21:04
rm_workyeah :P21:04
rm_workI assume it would serve that purpose well21:04
aleehyakuhei, well -- we'll have the barbican-client :)21:04
aleeonce we write it21:04
hyakuheipfft21:05
hyakuheivaporware :P21:05
aleeand of course, the base case in pkcs1021:05
hyakuheiI'll go poke  CertMonger21:05
aleehyakuhei, its not there yet --- but if we decide to go this way - it will be.21:05
hyakuheiInteresting21:06
aleehyakuhei, my goal is to make things easy to interfce with barbican using certmonger21:06
hyakuheiSo we have Certmonger working with Anchor today through some extension work that someone else wrote21:06
hyakuheiWhich we could easily turn into a CA plugin for Barbican21:06
hyakuheis/could/would/21:07
aleesounds interesting21:07
hyakuheiYeah I think I'm happiest with that.21:07
hyakuheiI was pondering having Anchor use the same API but I don't think there's any benefit. If someone is using Barbican client I'd rather they route their requests to Anchor via Barbican anyway21:08
aleehyakuhei, I think the idea in general would be certmonger -> barbican -> dogtag/anchor21:09
hyakuheiWell that's just peachy21:09
aleeor barbican-client -> barbican -> dogtag/anchor21:09
rm_workyeah, we'd want the latter21:11
*** kebray has joined #openstack-barbican21:13
hyakuheiI wonder how hard CertMonger->Barbican-Client-->Barbican-->DogTag/Anchor would be21:14
* hyakuhei just thinking out loud21:14
*** dave-mccowan_ has joined #openstack-barbican21:20
aleehyakuhei, yeah - thought about that -- not sure I see the point though ..21:20
rm_worklol21:20
hyakuheiwell, Certmonger does nice lifecycle management stuff21:22
hyakuhei'oh your certificate is about to expire, let me fix that for you'21:22
hyakuheiOh I see21:22
rm_workyeah we do not want that :P21:23
rm_workour certificates will have no lifecycle21:23
hyakuheiso yeah, I can see why if there's a CMC API it's possible that Certmonger->Barbican and BarbicanClient->Barbican could happily both exist21:23
*** atiwari has joined #openstack-barbican21:26
*** dave-mccowan has quit IRC21:35
*** russellb has quit IRC21:35
*** tdink has quit IRC21:35
*** dave-mccowan_ is now known as dave-mccowan21:35
*** atiwari has quit IRC21:37
*** tkelsey has quit IRC21:40
*** kebray has quit IRC22:07
*** kebray has joined #openstack-barbican22:16
*** tdink has joined #openstack-barbican22:29
*** jamielennox|away is now known as jamielennox22:32
*** ryanpetrello has quit IRC22:36
*** ryanpetrello has joined #openstack-barbican22:36
*** ryanpetrello has quit IRC22:42
openstackgerritJeff Fischer proposed openstack/barbican: initial commit for DigiCert Barbican plugin.  https://review.openstack.org/13819922:43
*** paul_glass has quit IRC22:48
*** rm_you| has quit IRC22:48
*** rm_you| has joined #openstack-barbican22:49
*** rellerreller has quit IRC22:50
*** ryanpetrello has joined #openstack-barbican22:57
*** ryanpetrello_ has joined #openstack-barbican23:02
*** dimtruck is now known as zz_dimtruck23:03
*** ryanpetrello has quit IRC23:04
*** ryanpetrello_ is now known as ryanpetrello23:04
*** jaosorior has quit IRC23:13
*** rtom has quit IRC23:34
openstackgerritDouglas Mendizábal proposed openstack/barbican-specs: Introduce the concept of an Active SecretStore  https://review.openstack.org/13577923:59
« Sunday, 2014-11-30 Index Tuesday, 2014-12-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!