Wednesday, 2014-12-17

openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Use project in test related files https://review.openstack.org/142262	00:09
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Use 'project' in test related files https://review.openstack.org/142262	00:10
jaosorior	damn, it has been a productive day :D	00:12
woodster_	greghaynes: The file syncing approach won't work for multiple API nodes which is how we plan to deploy. The timestamp approach isn't great either though as you mentioned. Could you derive the cert serial number from the order_id somehow, like extracting only decimals from the UUID :) ? It has to be an integer only from what I've seen, and the order_id is	00:12
woodster_	guaranteed to be unique across API nodes.	00:12
woodster_	jaosorior, no kidding...you need to spend a few more weeks down there!	00:13
jaosorior	hahaha, funnily enough, I happen to code really well while talking to my family at the same time and even cooking a little bit :P	00:14
jaosorior	aaah dude, I just ate some awesome tamales	00:17
greghaynes	woodster_: so, if being distributed is a requirement for this plugin I think just genning a UUID is easy enough	00:18
greghaynes	I think you get 20bytes for serial so more than enough space	00:18
woodster_	that would work...you just have to parse it to an integer I think...I think it stores as a biginteger under the hood	00:19
greghaynes	well theres a bunch of variants but its actually not hard to get the binary representation	00:20
woodster_	I was thinking it could be convenient to derive from the order_id UUID, so we can correlate a cert to the order used to create it, but that coupling is not necessary.	00:20
woodster_	jaosorior, that real Mexican food, not the tex mex stuff we have around here :)	00:21
greghaynes	oh, I didnt realise order_id's were uuids	00:21
greghaynes	that is exactly what I should do then	00:21
woodster_	although my mother in law makes the best tamales I've ever eaten	00:21
jaosorior	niiiiiice	00:22
woodster_	greghaynes, well, order_id's are the PK of the order table, currently UUIDs unless folks think otherwise.	00:22
greghaynes	oh, so if thats changeable then probably not a good idea	00:22
greghaynes	We wont be able to guarantee both uniqueness and size	00:23
woodster_	yeah, so probably better not to couple the concerns there, and have an independent UUID	00:23
greghaynes	looks like the raw bytes format for uuid is 16bytes so \O/	00:23
woodster_	nice!	00:24
openstackgerrit	greghaynes proposed openstack/barbican-specs: Snakeoil CA https://review.openstack.org/141981	00:26
*** bdpayne has quit IRC		00:31
*** bdpayne has joined #openstack-barbican		00:31
greghaynes	oh, its 20 octets, not 20 bytes	00:33
greghaynes	oh, brain derp, bytes are octets	00:33
rm_work	:P	00:48
greghaynes	for some reason I was thining octets meant the half of byte space ascii uses ;)	00:49
*** stanzi has joined #openstack-barbican		00:59
*** Stanzi_ has joined #openstack-barbican		00:59
*** rm_work is now known as rm_work\|away		01:05
openstackgerrit	greghaynes proposed openstack/barbican: Create snakeoil certificate plugin https://review.openstack.org/140575	01:07
*** bdpayne has quit IRC		01:07
*** Stanzi_ has quit IRC		01:21
*** stanzi has quit IRC		01:21
*** Stanzi_ has joined #openstack-barbican		01:21
*** stanzi has joined #openstack-barbican		01:21
*** bdpayne has joined #openstack-barbican		01:25
*** Stanzi_ has quit IRC		01:26
*** stanzi has quit IRC		01:26
jaosorior	anybody around that knows about the devstack-dsvm test?	01:32
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Use 'project' in test related files https://review.openstack.org/142262	01:44
woodster_	hockeynut might know...are you seeing issues with your functional test?	01:44
jaosorior	yup	01:45
jaosorior	well, the changes I added in the last CR	01:45
jaosorior	http://logs.openstack.org/62/142262/2/check//gate-barbican-devstack-dsvm/2ba049b/console.html	01:46
jaosorior	I thought changing this etc/dev_tempest.conf would do the trick	01:46
*** bdpayne has quit IRC		01:46
jaosorior	but apparently not	01:49
*** gyee has quit IRC		01:57
*** Stanzi has joined #openstack-barbican		02:13
*** stanzi_ has joined #openstack-barbican		02:13
*** stanzi_ has quit IRC		02:18
*** Stanzi has quit IRC		02:18
*** ajc___ has joined #openstack-barbican		02:19
*** bdpayne has joined #openstack-barbican		02:21
*** crc32 has joined #openstack-barbican		02:33
*** bdpayne has quit IRC		02:35
*** zz_dimtruck is now known as dimtruck		02:50
woodster_	What set the SERVICE_TENANT_NAME env variable?	03:07
woodster_	jaosorior: ^^	03:07
*** bdpayne has joined #openstack-barbican		03:09
*** Stanzi has joined #openstack-barbican		03:13
*** stanzi_ has joined #openstack-barbican		03:13
*** Stanzi has quit IRC		03:33
*** stanzi_ has quit IRC		03:33
*** stanzi_ has joined #openstack-barbican		03:34
*** Stanzi has joined #openstack-barbican		03:34
*** lisa1 has joined #openstack-barbican		03:35
*** stanzi_ has quit IRC		03:38
*** Stanzi has quit IRC		03:38
*** ryanpetrello has quit IRC		03:39
*** lisa1 has quit IRC		03:40
openstackgerrit	Ade Lee proposed openstack/barbican: Second commit for Common Cert API https://review.openstack.org/142212	03:47
*** dimtruck is now known as zz_dimtruck		04:03
*** stanzi_ has joined #openstack-barbican		04:04
*** Stanzi has joined #openstack-barbican		04:04
*** stanzi_ has quit IRC		04:13
*** Stanzi has quit IRC		04:13
*** zz_dimtruck is now known as dimtruck		04:28
*** ryanpetrello has joined #openstack-barbican		04:36
*** dimtruck is now known as zz_dimtruck		04:43
*** Stanzi_ has joined #openstack-barbican		05:08
*** stanzi has joined #openstack-barbican		05:08
*** ryanpetrello has quit IRC		05:22
greghaynes	alee: Do we have any type of versioning on the orders api?	05:31
woodster_	greghaynes do you mean api versioning? We do have 'v1' in the URI if that's what you mean?	05:38
greghaynes	Yep, thanks	05:39
*** crc32 has quit IRC		05:40
*** jaosorior has quit IRC		05:43
*** Stanzi_ has quit IRC		05:48
*** stanzi has quit IRC		05:48
*** Stanzi_ has joined #openstack-barbican		05:49
*** stanzi has joined #openstack-barbican		05:49
*** Stanzi_ has quit IRC		05:54
*** stanzi has quit IRC		05:54
greghaynes	alee: Sorry, but while reviewing your patches I realised a much better reason we should not be interpreting and validating based on properties in the orders meta field	06:38
greghaynes	commented https://review.openstack.org/#/c/142209/	06:38
greghaynes	Basically - its a public API breaking change	06:39
*** rm_work\|away is now known as rm_work		06:43
* greghaynes wonders if any thought has been given to using wsme for defining api's		07:08
*** ryanpetrello has joined #openstack-barbican		07:08
greghaynes	I think it would do wonders for consistency and not having a lot of repeating procedural code	07:09
greghaynes	alee: so I see why we dont like adding root level properties - the orders API is abstracted across multiple interfaces	07:12
*** ryanpetrello has quit IRC		07:13
greghaynes	alee: I think long term this is best done as an API change where we actually expose different order types as different types, but maybe a fix for this api version is we can make a note that "meta fields which begin with underscore are reserved for barbican-core"	07:14
greghaynes	and then call the field _request_type	07:15
*** rm_work is now known as rm_work\|away		07:20
*** ajc___ has quit IRC		07:58
*** bdpayne has quit IRC		08:07
*** bdpayne has joined #openstack-barbican		08:09
*** woodster_ has quit IRC		08:20
*** ryanpetrello has joined #openstack-barbican		08:57
*** ajc___ has joined #openstack-barbican		09:01
*** ryanpetrello has quit IRC		09:01
*** bdpayne has quit IRC		09:06
*** ajc___ has quit IRC		09:38
*** stanzi_ has joined #openstack-barbican		09:49
*** Stanzi has joined #openstack-barbican		09:49
*** stanzi_ has quit IRC		09:53
*** Stanzi has quit IRC		09:53
*** jamielennox is now known as jamielennox\|away		10:04
*** darrenmoffat has quit IRC		10:19
*** darrenmoffat has joined #openstack-barbican		10:19
*** jamielennox\|away is now known as jamielennox		10:21
*** ajc_ has joined #openstack-barbican		10:23
*** ryanpetrello has joined #openstack-barbican		10:46
*** jamielennox is now known as jamielennox\|away		10:51
*** ryanpetrello has quit IRC		10:51
*** ajc_ has quit IRC		11:37
*** ajc_ has joined #openstack-barbican		11:38
*** ajc_ has quit IRC		11:58
*** ajc_ has joined #openstack-barbican		11:59
*** ajc_ has quit IRC		12:23
*** jorge_munoz has quit IRC		12:29
*** jorge_munoz has joined #openstack-barbican		12:30
*** thiagop has left #openstack-barbican		12:33
*** ryanpetrello has joined #openstack-barbican		12:35
*** ryanpetrello has quit IRC		12:39
*** woodster_ has joined #openstack-barbican		13:07
hyakuhei	redrobot: Ping me when you're around?	13:23
reaperhulk	yeah redrobot wake up ;)	13:25
hyakuhei	reaperhulk: I need to talk to you too!	13:31
reaperhulk	hyakuhei: well here I am ;)	13:31
reaperhulk	what's up?	13:31
hyakuhei	tkelsey has done a bunch of work making Anchor work with Pycryptography	13:31
hyakuhei	That involved a few changes to anchor and a few additional bindings in pycryptography	13:32
hyakuhei	https://github.com/callidus/cryptography/commit/32a08adbca588aaae2ed4cf9ca92af224517a8ed	13:32
hyakuhei	^ missing bindings	13:32
reaperhulk	Okay I'm going to steal those for a PR momentarily	13:33
reaperhulk	Because we're going to probably do a release of cryptography in the next 3 days.	13:33
hyakuhei	Tim is sat next to me	13:33
hyakuhei	He's making that a PR now :)	13:34
reaperhulk	Perfect :D	13:34
hyakuhei	So that's cool and Anchor is working with pycryptography	13:34
hyakuhei	but.	13:34
hyakuhei	pycryptography isn't in the global reqs yet.	13:34
reaperhulk	it sure is :)	13:34
hyakuhei	it is?	13:34
reaperhulk	https://github.com/openstack/requirements/blob/master/global-requirements.txt#L14	13:35
hyakuhei	bare with me one second while I beat tkelset	13:35
hyakuhei	where is it hiding? http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt	13:35
*** tkelsey has joined #openstack-barbican		13:36
reaperhulk	line 14	13:36
hyakuhei	god damnit	13:37
hyakuhei	When I rule the world the first thing I'll do is establish a schema for python library naming	13:37
tkelsey	hyakuhei: +1 :)	13:37
reaperhulk	If it makes you feel better we regret our name	13:37
reaperhulk	That's why we call it "pyca/cryptography" most of the time	13:37
reaperhulk	Which is really just the org/repo name from github, heh	13:38
hyakuhei	ok cool, so we were considereding a move to the not so great PyOpenSSL but seeing as this is in the reqs we just need you to make sure your happy with Tim's PR and punt the version I guess	13:38
reaperhulk	Yep, as soon as tkelsey puts it up we'll let jenkins+travis go at it and assuming it passes we can merge today	13:38
hyakuhei	How exciting	13:39
tkelsey	reaperhulk: awesome, im just githubbing now :)	13:39
reaperhulk	And then it will be in the 0.7 release that will go out once the initial X509 support (way, way too prelim for your uses) lands	13:39
hyakuhei	Yeah	13:40
hyakuhei	So currently we're using bindings and doing lots of the data munging in Anchor	13:40
hyakuhei	as X509 support improves in pyca we'll refactor to use that	13:40
reaperhulk	Sounds good. I'll be spending more time on X509 in the next release, but I've also got symmetric key references and improved serialization on deck so I'm not sure what will be tackled first	13:42
reaperhulk	(symmetric key references would allow me to build a PKCS11 backend for pyca/cryptography and simplify the barbican pkcs11 plugin dramatically)	13:43
hyakuhei	Stupid pkcs11. KMIP is where it's at man.	13:48
reaperhulk	I'm happy to have someone write a KMIP backend using pykmip :)	13:49
hyakuhei	pykmip needs more kmip first ;)	13:49
tkelsey	reaperhulk: pull request created	13:52
reaperhulk	tkelsey: looking at it now (we should probably take this to #cryptography-dev though)	13:55
* hyakuhei will be away for a while. Thanks reaperhulk		13:55
tkelsey	reaperhulk: cool :) jumping over now	13:55
*** lisa2 has joined #openstack-barbican		14:25
*** lisa2 has quit IRC		14:30
*** lisaclark has joined #openstack-barbican		14:59
*** SheenaG1 has joined #openstack-barbican		15:04
*** ayoung has joined #openstack-barbican		15:11
*** lisa2 has joined #openstack-barbican		15:20
*** lisa2 has quit IRC		15:24
*** lisaclark1 has joined #openstack-barbican		15:46
*** lisaclark1 has quit IRC		15:47
*** lisaclark1 has joined #openstack-barbican		15:47
*** miqui_ has joined #openstack-barbican		15:48
*** lisaclark has quit IRC		15:49
SheenaG1	alee: ping	16:11
*** kgriffs\|afk is now known as kgriffs		16:13
*** stanzi_ has joined #openstack-barbican		16:14
*** Stanzi has joined #openstack-barbican		16:14
*** Stanzi has quit IRC		16:20
*** stanzi_ has quit IRC		16:20
*** Stanzi has joined #openstack-barbican		16:21
*** stanzi_ has joined #openstack-barbican		16:21
alee	SheenaG1, pong	16:23
alee	greghaynes, thanks for comments -- I'm going to wait for comments from woodster and others before addressing	16:23
*** Stanzi__ has joined #openstack-barbican		16:23
*** stanzi___ has joined #openstack-barbican		16:23
SheenaG1	alee: I got some information about hotels - would be happy to share, but they aren't downtown proper. I'm also going to look into booking a block of rooms at a hotel that's closer, but have to wait until after the start of the year to do that	16:24
SheenaG1	alee: not sure how quickly you need to book	16:24
SheenaG1	alee: the ones we have deals with could be challenging in the morning with traffic if you're taxi-ing	16:24
alee	woodster_, chellygel , redrobot - review please :)	16:25
*** stanzi_ has quit IRC		16:25
alee	SheenaG1, I just need to price it out (or have a rough estimate)	16:25
alee	SheenaG1, not having to taxi in would definitely be preferable.	16:26
*** Stanzi has quit IRC		16:26
alee	(and not having to have a car either)	16:26
SheenaG1	alee: let me keep digging then	16:26
SheenaG1	alee: just got another lead on potentially some closer	16:26
alee	SheenaG1, so if you have a rough idea of price, that would be sufficient for now.	16:26
SheenaG1	alee: I don't if we're aiming for downtown, will keep working on it	16:27
alee	SheenaG1, thanks :)	16:27
*** stanzi___ has quit IRC		16:35
*** Stanzi__ has quit IRC		16:35
*** Stanzi has joined #openstack-barbican		16:36
*** stanzi_ has joined #openstack-barbican		16:36
*** stanzi_ has quit IRC		16:36
*** Stanzi has quit IRC		16:36
*** stanzi_ has joined #openstack-barbican		16:36
*** Stanzi has joined #openstack-barbican		16:36
*** stanzi_ has quit IRC		16:41
*** Stanzi has quit IRC		16:41
*** paul_glass has joined #openstack-barbican		16:50
*** rm_work\|away is now known as rm_work		17:06
*** kebray has joined #openstack-barbican		17:08
*** gyee has joined #openstack-barbican		17:23
*** gyee has quit IRC		17:24
*** gyee has joined #openstack-barbican		17:25
*** rellerreller has joined #openstack-barbican		17:28
*** crc32 has joined #openstack-barbican		17:41
*** tkelsey has quit IRC		17:44
*** lisaclark1 has quit IRC		17:49
*** ryanpetrello has joined #openstack-barbican		17:56
*** bdpayne has joined #openstack-barbican		18:01
*** lisa2 has joined #openstack-barbican		18:02
*** lisa2 has quit IRC		18:07
*** kebray has quit IRC		18:08
SheenaG1	woodster_: ping	18:10
*** kebray has joined #openstack-barbican		18:25
*** bdpayne has quit IRC		18:25
*** ryanpetrello has quit IRC		18:31
*** paul_glass has quit IRC		18:35
woodster_	SheenaG1, howdy	18:39
*** stanzi has joined #openstack-barbican		18:42
*** Stanzi_ has joined #openstack-barbican		18:42
*** kebray has quit IRC		18:44
*** ryanpetrello has joined #openstack-barbican		18:50
*** lisa1 has joined #openstack-barbican		18:57
*** kgriffs is now known as kgriffs\|afk		18:58
*** gyee has quit IRC		19:00
*** lisa1 has quit IRC		19:01
*** bdpayne has joined #openstack-barbican		19:03
*** rellerreller has quit IRC		19:05
*** gyee has joined #openstack-barbican		19:06
*** paul_glass has joined #openstack-barbican		19:08
openstackgerrit	John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 2) https://review.openstack.org/140811	19:10
*** kebray has joined #openstack-barbican		19:12
*** kebray has quit IRC		19:13
*** kebray has joined #openstack-barbican		19:17
*** lisa1 has joined #openstack-barbican		19:51
greghaynes	Did an email ever get sent out about the sprint / signup?	19:55
*** lisa1 has quit IRC		19:56
greghaynes	ahoy, theres an eventbrite	19:56
greghaynes	aye, ends on day tripleo starts, that could make for an intense week	19:57
*** ametts has quit IRC		20:02
*** ryanpetrello has quit IRC		20:03
openstackgerrit	John Vrbanac proposed openstack/barbican: Setting the max secret bit_length size to be 32767 https://review.openstack.org/142568	20:11
*** Stanzi_ has quit IRC		20:13
*** stanzi has quit IRC		20:13
*** Stanzi_ has joined #openstack-barbican		20:13
*** stanzi has joined #openstack-barbican		20:13
*** Stanzi_ has quit IRC		20:18
*** stanzi has quit IRC		20:18
*** stanzi_ has joined #openstack-barbican		20:21
*** Stanzi has joined #openstack-barbican		20:21
*** lisa1 has joined #openstack-barbican		20:45
*** lisa1 has quit IRC		20:50
*** bdpayne has quit IRC		20:58
*** stanzi_ has quit IRC		21:05
*** Stanzi has quit IRC		21:05
*** Stanzi has joined #openstack-barbican		21:06
*** stanzi_ has joined #openstack-barbican		21:06
*** stanzi_ has quit IRC		21:10
*** Stanzi has quit IRC		21:10
*** Stanzi_ has joined #openstack-barbican		21:14
*** stanzi has joined #openstack-barbican		21:14
*** stanzi___ has joined #openstack-barbican		21:14
*** Stanzi__ has joined #openstack-barbican		21:14
*** Stanzi_ has quit IRC		21:18
*** stanzi has quit IRC		21:18
openstackgerrit	John Vrbanac proposed openstack/barbican: Setting the max secret bit_length size to be 32767 https://review.openstack.org/142568	22:07
SheenaG1	alee: ping	22:09
alee	SheenaG1, pong	22:09
SheenaG1	alee: I talked to the Omni about group rates, but their offer was literally $3.10 less than the going rate	22:09
SheenaG1	That's probably your best bet for budgeting, it's around $240/night + tax	22:10
alee	$3.10 ? woo hoo!	22:10
alee	SheenaG1, did you point out that their group rate was only $3.10 lower than the going rate?	22:11
reaperhulk	If you stay 1000 nights you save $3100	22:11
reaperhulk	you'd be crazy not to do it	22:12
SheenaG1	I have not started the haggling process - my guess is that they are offering that as a static rate as their "going" rate may increase when the event is closer	22:12
alee	reaperhulk, I'll only be spending a little short of a quarter mil to save that much :)	22:12
alee	SheenaG1, ok - I'll let the powers that be know -- our budgets may be a little more sparse than yours ..	22:14
SheenaG1	alee: let me know	22:14
reaperhulk	That sounds like a quality expense account	22:15
alee	reaperhulk, quality as in "quality inn" perhaps :)	22:15
alee	SheenaG1, will do.	22:16
*** ayoung is now known as ayoung_dreidl		22:18
*** SheenaG1 has quit IRC		22:23
*** Stanzi__ has quit IRC		22:30
*** stanzi___ has quit IRC		22:30
*** stanzi has joined #openstack-barbican		22:30
*** Stanzi_ has joined #openstack-barbican		22:30
alee	reaperhulk, are there any options yet in python-cryptography to generate a csr?	22:31
reaperhulk	alee: not yet, although the C bindings obviously can. I know hyakuhei has some interest in that being possible in cryptography as well	22:33
reaperhulk	We're releasing 0.7 tonight probably with a bunch of new stuff	22:33
alee	reaperhulk, you have some nifty and painfully ugly C binding code to do it anywheres?	22:33
*** Stanzi_ has quit IRC		22:35
*** stanzi has quit IRC		22:35
*** Stanzi_ has joined #openstack-barbican		22:36
*** stanzi has joined #openstack-barbican		22:36
*** jhfeng has joined #openstack-barbican		22:36
reaperhulk	not offhand but I could probably come up with some :)	22:37
reaperhulk	That ugly x509 stuff won't be required with 0.7 BTW	22:38
alee	reaperhulk, cool	22:38
alee	I'll be ready to rip it out of my in-progress patch	22:38
reaperhulk	https://raw.githubusercontent.com/pyca/cryptography/master/docs/x509.rst	22:39
reaperhulk	we'll just need to update cryptography to require 0.7	22:39
alee	reaperhulk, cool	22:41
alee	very nice -- everything I asked for last time :)	22:41
reaperhulk	Yep. That was the easy stuff. Extensions need to come next and they are a real pain	22:42
alee	reaperhulk, so - in order to create a csr , you need to have access to the private key, right?	22:42
reaperhulk	Yes, to sign the CSR (to prevent tampering in transit to the RA)	22:42
alee	because it presumably needs to be signed?	22:42
reaperhulk	Although in practice most CAs don't care about the CSR signature, hehe	22:43
alee	so .. hmm ..	22:43
alee	one of the use cases we thought about providing is the "stored-key" cert request mechanism	22:43
alee	(I'm assuming you read my spec so you know what I'm talking about here, right?)	22:44
alee	basically, barbican already has the public and private keys stored as secrets in containers	22:45
reaperhulk	I did! So yes, I do actually :D	22:45
greghaynes	alee: my snakeoil ca generates a csr via pyopenssl in tests	22:45
greghaynes	if youre looking for python c binding code to do that	22:45
alee	greghaynes, cool ..	22:46
reaperhulk	alee: pyopenssl uses cryptography's bindings so that's actually good sample code hehe :)	22:46
greghaynes	https://review.openstack.org/#/c/140575/12/barbican/tests/plugin/test_snakeoil_ca.py	22:47
reaperhulk	at least until we hoist that functionality up into our codebase	22:47
greghaynes	line 147	22:47
alee	reaperhulk, but what that means is that barbican-core will be generating the csr and sending it to the ca plugins	22:47
greghaynes	reaperhulk: Youre working on python-cryptography?	22:47
alee	which means that barbican-core needs to get the secrets for the public and private keys	22:47
reaperhulk	To do that in a valid fashion it needs access to the private key then (or else it needs to be able to send the hash of the DER CSR payload to an endpoint and get back a signature)	22:47
rm_work	https://github.com/stackforge/octavia/blob/master/octavia/tests/unit/certificates/generator/test_barbican.py too	22:47
reaperhulk	greghaynes: I'm one of the core developers	22:47
rm_work	(pyOpenSSL CSR example)	22:47
alee	rm_work, thanks ..	22:48
greghaynes	reaperhulk: Awesome. So what I read it seems like all the pubkey stuff is in hazmat?	22:48
reaperhulk	it is right now yes. we've got an internal debate going about how to get some more of these functions up out of the hazmat layer	22:48
greghaynes	nice, where do youall hang out?	22:48
alee	reaperhulk, so -- you don't have any problems with barbican-core having the private key in memeory?	22:49
reaperhulk	alee: I'd totally prefer it didn't (and in the case of the PKCS11/KMIP ones it literally can't)	22:49
reaperhulk	However, the PKCS11/KMIP backends could hypothetically support signing without having access to the key because those APIs have functions for signing bytes you send to them using a specified key handle	22:50
reaperhulk	We don't have anything in barbican to enable that though :)	22:50
greghaynes	Also, whats much more difficult than generating the CSR's with x509 is making use of them ;)	22:50
alee	reaperhulk, yeah ..	22:50
greghaynes	er, with c binding for x509	22:51
greghaynes	Nothing says fun like asn parsing	22:51
alee	reaperhulk, I'm wondering if we pretty much have to pass the references to the plugin to generate a csr.	22:51
*** jamielennox\|away is now known as jamielennox		22:52
reaperhulk	alee: if we want that functionality we're going to need to do that probably. Unfortunately it means we keep shifting more and more of the burden to the plugins...	22:52
alee	reaperhulk, yeah - I'm not sure I see any way around that -- I can certainly implement something for dogtag	22:53
*** ryanpetrello has joined #openstack-barbican		22:54
alee	and presumably kmip/pkcs11 has signign capabilities	22:54
*** SheenaG1 has joined #openstack-barbican		22:55
greghaynes	Im curious what the use case is for this?	22:55
alee	greghaynes, there was a guy at the summit that asked secifically for this ..	22:57
greghaynes	Ive been thinking a lot on our orders API and I think the reason were having to either push logic down into pluins or commit layering violations is its just way too over abstracted	22:58
greghaynes	and this sounds like more down that same path	22:58
alee	greghaynes, well - this is a case where we don't want the private key to show up in barbican-core	22:59
alee	greghaynes, its a strange case -- if its too hard, we might end up saying -- sorry you can't do that -- retrieve the public/private keys from barbican and generate a csr please.	23:00
greghaynes	I still dont entirely understand the stored key usage (probably because I wasnt at barbican summit sessions), is there a spec or something?	23:00
*** ryanpetrello has quit IRC		23:03
alee	greghaynes, no spec -- I think we should re-examine this case and see what we can do.	23:04
alee	ok - dinnertime ..	23:04
*** alee is now known as alee_dinner		23:04
*** SheenaG1 has quit IRC		23:06
*** paul_glass has quit IRC		23:09
*** zz_dimtruck is now known as dimtruck		23:12
*** jaosorior has joined #openstack-barbican		23:13
jaosorior	anybody has an idea why this happened? http://logs.openstack.org/54/142254/1/gate//gate-barbican-devstack-dsvm/00ab6ff/console.html	23:15
*** ayoung_dreidl is now known as ayoung		23:23
jaosorior	jvrbanac: are you around?	23:25
*** Stanzi_ has quit IRC		23:27
*** stanzi has quit IRC		23:27
*** stanzi has joined #openstack-barbican		23:27
*** Stanzi_ has joined #openstack-barbican		23:27
*** Stanzi_ has quit IRC		23:31
*** stanzi has quit IRC		23:31
*** Stanzi_ has joined #openstack-barbican		23:33
*** stanzi has joined #openstack-barbican		23:33
reaperhulk	jaosorior: he's driving home right now	23:40
rm_work	reaperhulk: do we have any word on PyOpenSSL feature additions?	23:40
rm_work	has exarkun showed up again or has the project been taken over by someone else? any idea?	23:41
reaperhulk	rm_work: I talked briefly to exarkun the other day and he submitted some new bindings to cryptography and asked when we were doing a release	23:41
rm_work	hmm k	23:41
reaperhulk	I didn't get a chance to ask him about his intentions for a pyopenssl release though	23:41
*** jhfeng has quit IRC		23:41
rm_work	but he is "around" to some degree now?	23:41
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Delete secret from plugin only if there's metadata https://review.openstack.org/141963	23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!