Thursday, 2019-02-28

« Wednesday, 2019-02-27 Index Friday, 2019-03-01 »
*** dave-mccowan has joined #openstack-barbican03:06
*** dave-mccowan has quit IRC03:32
*** Luzi has joined #openstack-barbican06:50
*** dpawlik has joined #openstack-barbican07:08
*** graeb has joined #openstack-barbican07:22
*** pcaruana has joined #openstack-barbican08:32
*** jaosorior has joined #openstack-barbican09:06
*** graeb has quit IRC09:16
*** graeb has joined #openstack-barbican09:20
*** moguimar has joined #openstack-barbican09:34
*** graeb has quit IRC10:14
*** graeb has joined #openstack-barbican10:24
*** dpawlik has quit IRC11:00
*** dpawlik has joined #openstack-barbican11:52
*** raildo has joined #openstack-barbican12:15
*** moguimar has quit IRC12:18
*** moguimar has joined #openstack-barbican12:19
*** moguimar has quit IRC12:25
*** moguimar has joined #openstack-barbican12:26
*** dave-mccowan has joined #openstack-barbican13:10
*** ade_lee has quit IRC13:28
*** dpawlik has quit IRC13:51
*** jmlowe has quit IRC14:01
*** moguimar has quit IRC14:04
*** moguimar has joined #openstack-barbican14:04
*** mmethot has joined #openstack-barbican14:06
*** dpawlik has joined #openstack-barbican14:14
*** jmlowe has joined #openstack-barbican14:17
*** jmlowe has quit IRC14:17
*** jmlowe has joined #openstack-barbican14:29
*** ade_lee has joined #openstack-barbican14:38
*** Luzi has quit IRC15:27
*** dpawlik has quit IRC15:55
*** graeb has quit IRC16:06
ade_leeredrobot, yo16:16
redrobotade_lee, \o16:16
ade_leeredrobot, so right now, we do save the label of the mkek and hmac is the kek_datum16:17
ade_leeredrobot, so that you can use the right mkek to extract a pkek16:17
*** dave-mccowan has quit IRC16:17
ade_leeredrobot, what we dont store is the mkek_type and hmac_type16:18
redrobotoof16:18
redrobotsounds like a bug :(16:18
ade_leeredrobot, looks like at this point, we implicitly assume AES for mkek16:18
ade_leeand whatever is configured for hmac16:18
ade_leeis this a reasonable assumption though?16:19
redrobotade_lee, I think MKEK is fine, IIRC only the Mechanism is configurable, not the Key Type16:19
ade_leeredrobot, yeah but changing the type of the hmac is really only to support different HSMs16:20
ade_leeredrobot, would we expect a migration from one hsm type to another?16:20
ade_leeeven if we did have that -- its likely that the old key would need to be exported from the old hsm and placed in the new one16:21
ade_leewith likely the same key type (old and new)16:21
redrobotI don't think we should worry about migrating between different hsm vendors16:22
redrobotbut I do think a Firmware update may add mechanisms to the same HSM16:22
redrobotso, since the type is configurable for HMAC we should probably store what the config value was when the hmac was created.16:22
ade_leewell - we might as well store the mkek ttype too then -- future proof ..16:23
redrobotade_lee, ++16:23
*** abishop has joined #openstack-barbican16:29
*** dpawlik has joined #openstack-barbican16:30
*** dpawlik has quit IRC16:34
*** jmlowe has quit IRC16:43
*** moguimar has quit IRC16:59
*** dpawlik has joined #openstack-barbican17:15
*** raildo has quit IRC17:19
*** dpawlik has quit IRC17:19
*** raildo has joined #openstack-barbican17:43
*** raildo has quit IRC17:48
*** jmlowe has joined #openstack-barbican18:03
*** pcaruana has quit IRC19:14
*** dpawlik has joined #openstack-barbican19:16
*** dpawlik has quit IRC19:20
*** whoami-rajat has quit IRC19:20
*** abishop has quit IRC19:38
*** raildo has joined #openstack-barbican19:42
*** dpawlik has joined #openstack-barbican19:50
*** dpawlik has quit IRC19:54
*** dpawlik has joined #openstack-barbican21:51
*** dpawlik has quit IRC21:55
*** ade_lee has quit IRC22:15
*** dpawlik has joined #openstack-barbican22:29
*** dpawlik has quit IRC22:34
*** raildo has quit IRC22:42
*** ade_lee has joined #openstack-barbican22:55
*** nadeem has quit IRC23:53
« Wednesday, 2019-02-27 Index Friday, 2019-03-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!