Thursday, 2015-11-05

*** jhfeng has joined #openstack-security00:00
*** austin987 has quit IRC00:00
*** ccneill has quit IRC00:01
*** markvoelker has quit IRC00:06
*** jhfeng has quit IRC00:14
*** jian5397 has joined #openstack-security00:21
*** dave-mccowan has joined #openstack-security00:22
*** jerrygb has joined #openstack-security00:31
*** jerrygb has quit IRC00:32
*** markvoelker has joined #openstack-security00:47
*** austin987 has joined #openstack-security00:51
*** dave-mccowan has quit IRC00:53
*** dave-mccowan has joined #openstack-security00:59
*** y_sawai has joined #openstack-security01:12
*** dave-mccowan has quit IRC01:17
*** y_sawai has quit IRC01:17
*** dave-mccowan has joined #openstack-security02:07
*** jian5397 has quit IRC02:11
*** tkelsey has joined #openstack-security02:17
*** bpokorny_ has joined #openstack-security02:21
*** tkelsey has quit IRC02:22
*** bpokorny has quit IRC02:25
*** bpokorny_ has quit IRC02:26
*** dave-mcc_ has joined #openstack-security02:55
*** dave-mccowan has quit IRC02:56
*** dave-mccowan has joined #openstack-security02:58
*** dave-mcc_ has quit IRC03:01
*** jian5397 has joined #openstack-security03:07
*** jian5397 has quit IRC03:11
*** yuanying_ has joined #openstack-security03:21
*** yuanying has quit IRC03:21
*** yuanying_ has quit IRC03:36
*** dave-mccowan has quit IRC03:44
*** markvoelker has quit IRC03:54
*** jhfeng has joined #openstack-security03:59
*** yuanying has joined #openstack-security04:08
*** tkelsey has joined #openstack-security04:19
*** tkelsey has quit IRC04:24
*** jhfeng has quit IRC04:34
*** jhfeng has joined #openstack-security04:36
*** jhfeng has quit IRC04:37
*** jian5397 has joined #openstack-security04:37
*** markvoelker has joined #openstack-security04:55
*** markvoelker has quit IRC05:00
openstackgerritStanislaw Pitucha proposed openstack/anchor: Add better names validator and deprecate older one
openstackgerritStanislaw Pitucha proposed openstack/anchor: Add better names validator and deprecate older one
openstackgerritStanislaw Pitucha proposed openstack/anchor: Enable branch coverage reporting
*** salv-orlando has quit IRC05:46
*** salv-orlando has joined #openstack-security05:46
openstackgerritStanislaw Pitucha proposed openstack/bandit: Test for bug 1513091
openstackbug 1513091 in Bandit "Current command injection behavior isn't correct" [High,Fix committed]
*** salv-orl_ has joined #openstack-security05:55
*** salv-orlando has quit IRC05:57
*** jian5397 has quit IRC06:46
*** markvoelker has joined #openstack-security06:56
*** markvoelker has quit IRC07:01
*** tmcpeak has joined #openstack-security07:09
*** alex_klimov has joined #openstack-security07:22
*** alex_klimov has quit IRC07:31
*** alex_klimov has joined #openstack-security07:31
*** y_sawai has joined #openstack-security07:47
*** jamielennox is now known as jamielennox|away07:54
*** jamielennox|away is now known as jamielennox07:54
*** jamielennox is now known as jamielennox|away07:57
*** openstackgerrit has quit IRC08:16
*** openstackgerrit has joined #openstack-security08:16
*** tkelsey has joined #openstack-security08:18
*** tkelsey has quit IRC08:23
*** openstack has joined #openstack-security08:35
*** markvoelker has joined #openstack-security08:57
*** markvoelker has quit IRC09:01
*** browne has quit IRC09:09
*** shohel has joined #openstack-security09:18
*** salv-orlando has joined #openstack-security09:21
*** salv-orlando has quit IRC09:22
*** salv-orl_ has quit IRC09:24
*** salv-orlando has joined #openstack-security09:57
*** markvoelker has joined #openstack-security09:57
*** browne has joined #openstack-security09:58
*** salv-orlando has quit IRC10:00
*** jamielennox|away is now known as jamielennox10:01
*** markvoelker has quit IRC10:02
*** salv-orlando has joined #openstack-security10:02
*** browne has quit IRC10:03
*** misc has quit IRC10:06
*** misc has joined #openstack-security10:08
*** salv-orlando has quit IRC10:18
*** salv-orlando has joined #openstack-security10:18
*** jerrygb has joined #openstack-security10:58
*** markvoelker has joined #openstack-security11:13
*** alex_klimov has quit IRC11:16
*** markvoelker has quit IRC11:18
*** y_sawai has quit IRC11:32
*** alex_klimov has joined #openstack-security11:45
*** jian5397 has joined #openstack-security11:47
*** alex_klimov has quit IRC11:51
*** alex_klimov has joined #openstack-security11:51
*** jian5397 has quit IRC11:52
*** alex_klimov has quit IRC11:52
*** alex_klimov has joined #openstack-security11:53
*** tmcpeak has quit IRC11:53
*** jian5397 has joined #openstack-security11:53
*** jian5397 has quit IRC11:58
*** jian5397 has joined #openstack-security12:02
*** jerrygb has quit IRC12:10
*** dave-mccowan has joined #openstack-security12:42
*** salv-orlando has quit IRC12:42
*** tmcpeak has joined #openstack-security12:49
*** subscope has joined #openstack-security12:59
*** y_sawai has joined #openstack-security13:02
*** jamielennox is now known as jamielennox|away13:08
*** jian5397 has quit IRC13:08
*** jerrygb has joined #openstack-security13:11
*** tjt263 has joined #openstack-security13:12
*** tjt263 has left #openstack-security13:13
*** markvoelker has joined #openstack-security13:14
*** jerrygb has quit IRC13:16
*** markvoelker_ has joined #openstack-security13:18
*** markvoelker has quit IRC13:18
*** jian5397 has joined #openstack-security13:25
*** jian5397 has quit IRC13:29
*** jian5397 has joined #openstack-security13:30
*** edmondsw has joined #openstack-security13:34
*** y_sawai has quit IRC13:40
*** salv-orlando has joined #openstack-security13:44
*** jian5397 has quit IRC13:55
*** jian5397 has joined #openstack-security13:56
*** Guest21180 has joined #openstack-security13:57
*** Guest21180 has quit IRC13:57
*** salv-orlando has quit IRC13:59
*** salv-orlando has joined #openstack-security13:59
*** y_sawai has joined #openstack-security14:02
*** jerrygb has joined #openstack-security14:04
openstackgerritCyril Roelandt proposed openstack/bandit: Add a configuration generator for bandit
*** dave-mccowan has quit IRC14:17
*** dave-mccowan has joined #openstack-security14:36
*** _elmiko has quit IRC14:44
*** _elmiko has joined #openstack-security14:45
*** jhfeng has joined #openstack-security15:14
*** blanki has joined #openstack-security15:21
*** blanki has left #openstack-security15:21
*** sigmavirus24_awa is now known as sigmavirus2415:26
*** jian5397 has quit IRC15:28
*** markvoelker has joined #openstack-security15:30
*** markvoelker_ has quit IRC15:31
*** salv-orlando has quit IRC15:34
*** salv-orlando has joined #openstack-security15:35
*** markvoelker_ has joined #openstack-security15:35
*** markvoelker has quit IRC15:37
*** salv-orl_ has joined #openstack-security15:56
*** tkelsey has quit IRC15:56
*** tkelsey has joined #openstack-security15:56
*** salv-orlando has quit IRC15:59
*** alex_klimov has quit IRC16:09
*** salv-orl_ has quit IRC16:10
*** tjt263 has joined #openstack-security16:12
*** jerrygb has quit IRC16:13
*** jerrygb has joined #openstack-security16:15
*** ccneill has joined #openstack-security16:17
*** austin987 has quit IRC16:17
*** browne has joined #openstack-security16:19
*** dave-mccowan has quit IRC16:24
*** dave-mccowan has joined #openstack-security16:28
*** hyakuhei has joined #openstack-security16:29
*** jerrygb has quit IRC16:31
*** jerrygb has joined #openstack-security16:31
*** austin987 has joined #openstack-security16:34
*** bpokorny has joined #openstack-security16:39
*** timkennedy has joined #openstack-security16:41
*** y_sawai has quit IRC16:42
*** subscope has quit IRC16:50
*** mihero_ has joined #openstack-security16:53
*** Daviey_ has joined #openstack-security16:54
*** dlitz has joined #openstack-security16:55
*** misc_ has joined #openstack-security16:56
*** barra204 has joined #openstack-security16:58
*** dave-mccowan has quit IRC16:59
*** Steap_ has joined #openstack-security17:03
*** Steap_ is now known as Steap17:03
Steaptmcpeak: hey, I'm Cyril :)17:04
tmcpeakSteap: hey man, how's it going?17:04
tmcpeakso I like what you've done with the config generator17:04
hyakuheimeeting oclock17:04
*** misc has quit IRC17:04
*** Daviey has quit IRC17:04
*** dlitz_ has quit IRC17:04
*** mihero has quit IRC17:04
*** shakamunyi has quit IRC17:04
tmcpeakdamn, rly?17:05
*** gmurphy has joined #openstack-security17:05
tmcpeakit changed with daylight savings I guess?17:05
hyakuheiWell no, it didnt change17:05
*** agireud has quit IRC17:05
hyakuheiit’s 1700 UTC17:05
tmcpeakgood point17:05
tmcpeakit changed last week or so and I didn't notice bc we didn't do a meeting17:06
*** agireud has joined #openstack-security17:07
* Steap came precisely at the wrong time17:07
tmcpeakSteap: can I grab you after OSSG meeting?17:08
Steaptmcpeak: in an hour ?17:08
tmcpeakwhat timezone are you in?17:09
Steapok, works for me17:09
tmcpeakok cool, talk to you then17:09
Steaptmcpeak: Paris17:09
tmcpeakahh cool, same as me17:09
tmcpeakif it's late for you we can catch up tomorrow17:09
Steapnah, no problem, I'll be available for like ~45 minutes17:10
Steapshould be enough :)17:10
tmcpeakawesome, sounds good17:11
*** austin987 has quit IRC17:34
*** subscope has joined #openstack-security17:34
*** timkennedy has quit IRC17:35
*** timkennedy has joined #openstack-security17:41
*** subscope has quit IRC17:47
*** austin987 has joined #openstack-security17:49
tmcpeakSteap: hey, stillaround?17:59
*** shohel has quit IRC17:59
Steaptmcpeak: yeah17:59
tmcpeakcool, so I guess my preference is to generate configs with 'All' intact, at least for reference purposes18:00
Steapso maybe add the disabled checkers to "exclude" ?18:00
tmcpeakyeah, does exclude still work?18:00
*** timkennedy has quit IRC18:00
* tmcpeak doesn't remember18:01
tmcpeakif it does I think that's the best solution18:01
*** dg_ has joined #openstack-security18:01
Steaptmcpeak: I think so18:01
tmcpeakahh cool18:01
Steapwell, technically, a checker not in "include" is excluded18:01
tmcpeakyeah that would be great then18:01
tkelseySteap: +118:01
*** timkennedy has joined #openstack-security18:01
Steapbut well, ok18:01
SteapI'd keep deleting the associated checker config, though18:02
Steapany thoughts on that ?18:02
tmcpeakdeleting the checker config?18:02
tmcpeaksorry I'm not following18:02
dg_redrobot you wanted to talk killick?18:03
*** dave-mccowan has joined #openstack-security18:03
tmcpeakSteap: at any rate, it's just a suggestion.  You're writing the tool to be useful to you and others18:04
tmcpeakI'm good with any of these18:04
tmcpeakthe tool looks good18:04
tmcpeakI'm happy to +2 it as is18:04
Steaptmcpeak: I'm talking about specific configuration18:04
tmcpeakI'd just prefer to leave *some* place with the entire list of tests18:04
Steaplike the one for blacklist_calls, which lists blacklisted calls18:04
*** browne has quit IRC18:05
Steapif a user wants to disable the blacklist_calls checker, keeping the configuration is kind of weird18:05
tmcpeakoh right18:05
tmcpeakyeah that makes sense18:05
SteapI'm also wondering how exactly other projects will use that18:05
Steapnot ure whether they'll use bandit.yaml, bandit-conf-genrator.yaml, or both18:06
tmcpeakthis seems like a reasonable first revision though18:06
tmcpeakwe can always enhance as needed in the future18:06
*** salv-orlando has joined #openstack-security18:15
ccneillhey all, no meeting today?18:18
ccneillor do I have my times messed up18:19
tmcpeakccneill: yeah, time messed18:22
tmcpeaklots of us did it but luckily hyakuhei dropped by and rounded a few of us up18:22
ccneilldid I already miss it? :X18:22
tmcpeakyeah man :)18:23
ccneillaw, alright18:23
ccneillI'll update my calendar18:23
tmcpeaksweet, catch you next week18:23
ccneillyep yep18:23
Steaptmcpeak: I'll update the patch tomorrow, gotta go right now18:24
tmcpeakSteap: cool, sounds good18:25
*** salv-orlando has quit IRC18:35
*** tkelsey has quit IRC18:42
*** dave-mccowan has quit IRC18:44
redrobotdg_ just got back from lunch... hyakuhei put me up to it. :)18:46
redrobotdg_ I did leave some comments on the spec.18:48
redrobotdg_ My prefences in order would be:18:49
redrobotdg_ 1. Collaborate on Barbican instead of starting a new project.  We could add an optional RA API to Barbican to support the admin side of Killick18:49
redrobotdg_ 2. Develop Killick with the ACME API only (ie no new Cert ordering API)18:50
*** browne has joined #openstack-security18:50
redrobotdg_  3. Develop Killick using a subset of the existing Barbican API18:50
redrobotdg_  my main concern is in adding a new cert ordering API to OpenStack... especially because most of the user-facing use cases are already covered by the Barbican API18:51
dg_ok, so 1. isnt really an option due to resourcing18:53
*** dave-mccowan has joined #openstack-security18:53
dg_2. we plan to support ACME later, currently Killick just uses the anchor API18:53
dg_having run a pki for 4 years, the most common use case for a traditional pki is to curl a CRL to a CA18:54
dg_i.e. the anchor API18:54
dg_I see no reason why killick couldnt plug into barbican as a CA plugin18:55
dg_however, afaik barbican has none of the issue/deny/revoke functionality built into the API? so a certificate administrator would still need to touch the killick gui?18:55
redrobotdg_  currently they're not available, but the specs have been in review for a while now18:56
redrobotdg_  also it would be nice to have only one gui, instead of having both barbican and killick in horizon18:56
dg_yeah totally agree18:57
redrobotdg_ the killick spec doesn't go into details about the API so I was speculating on it having a brand new API18:57
dg_so we are pegging it for the simplest case - someone needs a ca for an interface18:57
*** jerrygb has quit IRC18:57
*** jerrygb has joined #openstack-security18:58
dg_in that case, most people dont want a complex api, they litterally want to do curl a crl at a rest api18:59
dg_thats what we have for anchor, hence using it for killick, but for futureproofing and compatibility I really want to support ACME as it seems like a big step forwards18:59
jkfsorry, wrong window19:00
redrobotdg_ but you'll need more than jus that API right?  For revokation and all that other cert management goodness.  It would be awesome if we could sync up Barbican and Killick so that those APIs are consistent across both projects19:02
redrobotdg_  then you could drop in either one... and clients would work on clouds that have either, or both.19:02
dg_so i assumed you were talking about the user api19:03
*** jerrygb has quit IRC19:03
dg_you are correct, the administrator api is more complicated19:03
*** ccneill has quit IRC19:03
redrobotdg_  well, a user has to be able to request revocation of his cert, I think19:03
dg_in most infrastructure deployments that is managed by a ticketing system19:04
redrobotdg_  so you wouldn't have a horizon gui to request revocation?19:05
dg_we hadnt considered a need for that, although potentially19:05
dg_currently with killick, you just do something like: curl -X POST
dg_and it returns a list of pending certificates19:06
dg_or curl -X POST<request_id>19:06
dg_which returns the validation result for the certificate, if it has been issued, etc19:07
dg_(authn/z is a nightmare which I havent had time to think about properly19:07
hyakuheiAuthN you can probably take from Anchor, Z is harder19:08
dg_yeah, lets leave that out of scope for the moment and sit down with a coffee and a whiteboard at some point19:08
hyakuheiSo revocation gets messy, there are some nice ways to do it without AuthN, or rather using the private key as the AuthN19:09
hyakuheiIs the Barbican API written up nicely anywhere? Honestly I’ve not looked at it19:09
*** ccneill has joined #openstack-security19:10
dg_how about the issue/deny/revoke certificate administration api?19:12
redrobotdg_ we're really just user-focused at this time, so we don't have an admin api19:13
redrobotdg_  the assumption now is that your CA will do the work, or if it's internal you'd go directly to DogTag or whatever19:14
redrobotCancel (for pending certs)
dg_ok, so that sounds a lot like you have two gui's, one for barbican and one for your CA...19:15
redrobotdg_ well, for a public CA you don't need a 2nd gui19:17
*** salv-orlando has joined #openstack-security19:17
*** jian5397 has joined #openstack-security19:18
dg_so my assumption was that if I wanted a certificate from a public ca, I would just submit a CSR to verisign/whoever19:18
dg_rather than doing that via barbican19:19
redrobotdg_ public CAs cert issuance is one of the reasons Rackspace started Barbican19:20
redrobotdg_ we've been working with Symantec and they're ramping up to start contributing to the project19:20
dg_interesting, whats the use-case?19:20
*** jian5397 has quit IRC19:22
redrobotdg_  Rackspace resells Symantec certs.  Our customers order them from us, and we use Symantec's API to provision them.19:23
redrobotdg_  currently it requires a lot of manual work19:23
dg_cool! this is on your public cloud?19:24
redrobotdg_  not yet... the Symantec backend still needs some work.19:24
dg_but in theory, its something like this:19:24
dg_so as $customer, I decide that I want, put in a request using barbican/horizon, that forwards the request to symantec, issues the cert and bills me?19:25
redrobotdg_  yup, and when your cert is issued it's stored within Barbican, so it's nice and safe19:26
redrobotdg_ Digicert was also interested a while back, but their developer went MIA19:26
dg_ok thats pretty cool19:27
dg_the thing I love about pki is that the more people you talk to, the more completly new usecases you come across19:27
*** tmcpeak has quit IRC19:28
dg_which bits of that usecase currently work?19:33
redrobotdg_ when using a DogTag backend pretty much everything works...  Symantec integration was almost there, but then they turned off the API we were using, so they're developing a new backend for their new API.19:35
redrobotdg_  one problem I see now, that I was talking to hyakuhei about in Tokyo, is that we have a feature that only works in DogTag19:36
redrobotdg_  namely that you can provision a new CA root owned by your project and issue certs off of that.19:36
dg_yeah thats a cool feature19:36
redrobotdg_ I would like for barbican to have a non-dogtag option19:37
dg_I think barbican is a great product, and have had a lot of good discussion with Ade about Dogtag, but it isnt the right CA for us19:38
chair6integration with would be a nice alternative to symantec :)19:38
redrobotdg_  yeah, so to support a non-dogtag option, barbican is going to start behaving more like a CA... which is why I would not be opposed to adding an RA API19:39
*** salv-orlando has quit IRC19:39
redrobotdg_ we also talked about possibly using anchor and spinning up new anchor instances every time a new CA root is needed.19:40
dg_the issue there is that anchor totally lacks revocation functionality, which you really should have, if you are not using short-term certs19:40
redrobotdg_  yup... which is why I think Barbican is kinda headed the same way Killick is19:41
hyakuhei… if revocation worked….19:41
hyakuheiwhich it doesn't19:41
hyakuheiso if everyone could just use anchor …. that’d be great :P19:42
dg_hyakuhei shhhhh19:42
dg_you'll be saying santa doesnt exist next19:42
redrobotchair6 agreed!  But there's some work in Barbican that would be needed... here are my thoughts on what it would take to add Let's Encrypt (or any other ACME CA) to Barbican
hyakuheichair6: redrobot yeah we discussed ACME for a few things19:43
dg_so maybe making killick acme compliant and making barbican acme compliant is the way to go? getting two birds with one stone19:44
hyakuheiRunning an internal instance of letsencrypt might be smart too19:44
redrobotdg_ +1 ... with the caveats I mentioned on the ML link :)19:44
redrobothyakuhei yup, I was thinking about that for our internal CA19:45
redrobothyakuhei currently the internal CA process is: email the team that owns the CA >_>19:45
chair6 does look interesting, could be an alternative to building another x CAs..19:46
redrobotchair6 I mentioned that in the Killick spec :)19:46
hyakuheiACME fits super nicely with DNSaaS19:47
*** jian5397 has joined #openstack-security19:53
*** jerrygb has joined #openstack-security19:53
*** alex_klimov has joined #openstack-security19:53
*** ccneill_ has joined #openstack-security19:57
*** ccneill has quit IRC19:57
*** ccneill__ has joined #openstack-security19:58
*** ccneill__ has quit IRC19:58
dg_redrobot so how far has the barbican RA work progressed?19:58
*** salv-orlando has joined #openstack-security20:00
*** dave-mccowan has quit IRC20:00
*** ccneill_ has quit IRC20:01
*** alejandrito has joined #openstack-security20:02
*** salv-orlando has quit IRC20:05
*** salv-orlando has joined #openstack-security20:06
*** tkelsey has joined #openstack-security20:13
*** dave-mccowan has joined #openstack-security20:14
hyakuheiI still think having an RA inside Barbican CMS is a _bad_ idea20:15
dg_so theres a few things I like about using killick over something like boulder - we get the marjority of the functionality for free from anchor, we get the validation functionality from anchor (which will massively improve the UX for the certificate administrator), its super lightweight, and we own it20:17
*** tkelsey has quit IRC20:17
dg_currently killick is about 400loc, the only missing functionality is the auth and the revocation20:17
*** dave-mccowan has quit IRC20:18
dg_plus we get to use future anchor functionality, like hsm integration, for free20:18
hyakuheiThere’s something to be said for a pure-python CA too20:18
*** dave-mccowan has joined #openstack-security20:19
dg_the disadvantage is that we will need to add crl signing to anchor, which makes me :(20:20
hyakuheiSo there is probably a way to do that20:24
dg_it should be a fairly minor addition, i just havent had a couple of days to do it20:25
hyakuheiSo the problem is doing it without breaking the statefulness20:27
hyakuhei^^^^ yup20:27
*** jhfeng has quit IRC20:27
dg_so i dont think i care20:27
hyakuheiI do, I want silo’s to continue to work, for things like the ansible case20:28
hyakuheilets chat about it tomoz20:28
dg_but anchor will not use the revocation functionality, so will continue to be stateless20:28
dg_killick is not stateless by its nature20:28
dg_totally agree that the ability to silo anchor is far more important than making another ca, no matter how cool killick is20:29
*** jhfeng has joined #openstack-security20:29
redrobotsorry, there was a fire drill at work...  back now20:36
dg_hyakuhei and me are more or less done for the day20:36
redrobotdg_  no RA in Barbican.  We've been pushing that off to the CA.  The only thing that might change that is adding support for the per-project-CAs in a non-dogtag fashion...20:37
*** jhfeng has quit IRC20:42
*** dg_ has quit IRC20:53
*** jian5397 has quit IRC20:58
*** jian5397 has joined #openstack-security21:03
*** hyakuhei has quit IRC21:05
*** hyakuhei has joined #openstack-security21:10
*** jhfeng has joined #openstack-security21:20
*** hyakuhei has quit IRC21:23
*** mihero_ has quit IRC21:30
*** jian5397 has quit IRC21:43
*** mihero has joined #openstack-security21:51
*** edmondsw has quit IRC21:52
*** salv-orlando has quit IRC22:06
*** salv-orlando has joined #openstack-security22:06
*** ccneill has joined #openstack-security22:24
*** alex_klimov has quit IRC22:33
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
*** alejandrito has quit IRC22:41
*** bpokorny_ has joined #openstack-security22:44
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
*** bpokorny has quit IRC22:48
*** jamielennox|away is now known as jamielennox22:59
*** jerrygb has quit IRC23:08
*** sigmavirus24 is now known as sigmavirus24_awa23:22
*** bpokorny_ has quit IRC23:29
*** bpokorny has joined #openstack-security23:30
*** jerrygb has joined #openstack-security23:33
*** salv-orlando has quit IRC23:37
*** jhfeng has quit IRC23:42
*** jerrygb_ has joined #openstack-security23:49
*** jerrygb has quit IRC23:50
*** austin987 has quit IRC23:55

Generated by 2.14.0 by Marius Gedminas - find it at!