#openstack-meeting-alt log

20:00:26 <redrobot> #startmeeting barbican
20:00:27 <openstack> Meeting started Mon Oct 27 20:00:26 2014 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:32 <openstack> The meeting name has been set to 'barbican'
20:00:59 <redrobot> Hi everyone!  As usual, the Barbican Weekly Meeting Agenda can be found here:
20:01:03 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican#Agenda
20:01:11 <redrobot> #topic Roll Call
20:01:13 <hyakuhei> o/
20:01:19 <atiwari> o/
20:01:21 <alee> o/
20:01:26 <kaitlin-farr> o/
20:01:28 <woodster_> o/
20:01:32 <chellygel> \o\ /o/ |o|
20:02:21 <akoneru> o/
20:02:25 <hogepodge> \o
20:02:31 <redrobot> Woohoo!  Lots of barbicaneers here.  Good stuff.
20:02:38 <redrobot> #topic Kilo Design Sessions
20:02:56 <redrobot> I'm in the process of filling in the info for the Barbican Design Sessions
20:03:02 <redrobot> we have four slots, all on Tuesday.
20:03:10 <redrobot> should be a busy day
20:03:28 <redrobot> So far the topics are:
20:03:31 <redrobot> 1) Barbican Plugin (Driver) Lifetime management
20:03:39 <redrobot> 2) Common Certificate Issuance API
20:03:45 <redrobot> 3) Integrating Barbican with other OpenStack projects
20:04:36 <hyakuhei> 3 really has to move faster if you don't mind me saying
20:05:03 <hyakuhei> (I will be helping with that though, looking forward to discussing next week)
20:05:18 <redrobot> I'm tentatively holding the 4th slot for a Kite design session.  I've reached out to the Kite developers to see if they are interested in having a design session for Kite.  If not, we'll be using that slot for another Barbican discussion.
20:05:29 <redrobot> hyakuhei what do you mean move faster?
20:05:33 <hyakuhei> I know Tkelsey is very interested
20:05:49 <hyakuhei> So talking to a few Cinder devs about this the other day
20:06:05 <hyakuhei> Main objection seens to be a perception that Barbican API isn't stable
20:06:29 <rellerreller> We have bug with Barbican plugin in Cinder
20:06:56 <redrobot> hyakuhei I think there's some validity to that... we did change a lot of things in Juno.  I think we're committed to supporting the Juno API though, so hopefully this won't be an issue anymore.
20:07:12 <rellerreller> Sorry for being late. I only saw last three comments., but the latest python-barbicanclient has broken code for Barbican KeyManager
20:07:54 <rellerreller> I think this is second time now that this has been an issue for us
20:07:56 <redrobot> rellerreller yep, there's a lot of work that's going into python-barbicanclient that breaks things, which is why it's all targeted to a new major version release
20:07:58 <hyakuhei> redrobot: That sounds good, my main goal is to see decent encryption capabilities, using keymat from Barbican, integrated into OpenStack
20:08:29 <redrobot> #link https://launchpad.net/python-barbicanclient/+milestone/3.0.0
20:09:08 <hyakuhei> Useful link thanks
20:09:55 <alee> redrobot, if we have the fourth slot for Barbican, I'd like to vote for "User-level access to resources, such as secrets/containers / per-secret-policy" https://review.openstack.org/#/c/127353/
20:10:09 <atiwari> alee +1
20:10:20 <redrobot> rellerreller the only other pending change is to Orders.  Currently the client can't use the typed orders.  I should have a CR for that today or tomorrow.
20:10:23 <redrobot> alee noted.
20:10:46 <rellerreller> redrobot thanks
20:11:18 <redrobot> rellerreller once the Orders CR is merged, I'll release 3.0.0 to PyPI
20:11:28 <atiwari> redrobot, are removing the old style order from client
20:11:29 <atiwari> ?
20:11:43 <redrobot> atiwari yes.  No point in keeping it since the Server no longer supports it.
20:11:51 <atiwari> yes
20:12:21 <redrobot> Any more questions/comments regarding the Kilo Design Sessions?
20:12:31 <atiwari> yes
20:12:47 <atiwari> redrobot, can we organize our round table meetings too?
20:13:03 <redrobot> atiwari yes, we'll have a dedicated pod for Barbican, just like we did in Atlanta.
20:13:39 <atiwari> redrobot, ok
20:13:47 <redrobot> atiwari the goal will be to work through as much of the etherpad as possible
20:13:49 <redrobot> #link https://etherpad.openstack.org/p/barbican-kilo-design-sessions
20:13:58 <woodster_> general note: I've been adding additional items out there, along with a date stamp
20:15:30 <redrobot> atiwari anything else?
20:15:38 <atiwari> no
20:15:42 <redrobot> ok, moving on
20:15:49 <redrobot> #topic Atalla ESKM Plugin
20:16:03 <redrobot> I was hoping tkelsey would be around
20:16:17 <hyakuhei> I'll see if he's online
20:16:33 <hyakuhei> He isn't... This is an 8pm meeting in the uk.
20:17:01 <redrobot> hyakuhei no worries, I think we'll be talking about this in Paris either way.
20:17:28 <hyakuhei> Yeah I think so, it's a shame we can't move it along a little faster though
20:17:51 <hyakuhei> That goes for all/any HSM compatability
20:17:54 <redrobot> I added this to the agenda, since we were talking about it last week, and I've been thinking about whether it would be a good idea to add this plugin to Barbican when we know that it will be deprecated as soon as the KMIP plugin is up to speed.
20:18:07 <hyakuhei> Although having secure keymat with nothing to consume it is perhaps slightly redundant
20:18:42 <hyakuhei> We will be happy to support it in parallel with the replacement
20:19:40 <redrobot> I see.  The impression I had was that we would want to remove the current plugin as soon as the replacement was available
20:20:00 <hyakuhei> Sorry for giving that impression
20:20:16 <hyakuhei> From an accademic point of view KMIP is the better option
20:20:26 <woodster_> Why would we need both plugins active if KMIP is the better one?
20:20:37 <woodster_> active -> available?
20:20:54 <hyakuhei> So there are a few issues here
20:21:12 <hyakuhei> The first is that one is available now (almost) and KMIP will actually be a while
20:21:29 <hyakuhei> The KMIP secret store doesn't scale brilliantly as proposed today (stores everything in HSM)
20:22:42 <woodster_> By everything do you mean the keks themselves? If so, Paul (reaperhulk) moved to a MEK based approach with wrapped keks stored outside of the HSM, in Barbican
20:23:19 <woodster_> Is the timeframe for KMIP beyond Kilo do you think?
20:25:11 <hyakuhei> woodster_: for it to be stable, probably
20:25:17 <hyakuhei> Also, that's quite a long time
20:25:22 <atiwari> hyakuhei, as per this #link https://review.openstack.org/#/c/114580/4/specs/juno/hp-eskm-plugin.rst we storing everything in ESKM not just KEK.
20:25:27 <hyakuhei> Sorry I appeared afk for a second, network outage.
20:25:37 <atiwari> hyakuhei, is that correct?
20:27:08 <redrobot> hyakuhei no worries.  You missed a couple of Qs
20:27:17 <redrobot> <woodster_>	Is the timeframe for KMIP beyond Kilo do you think?
20:27:26 <redrobot> <atiwari>	hyakuhei, as per this #link https://review.openstack.org/#/c/114580/4/specs/juno/hp-eskm-plugin.rst we storing everything in ESKM not just KEK.
20:28:07 <hyakuhei> ok. so I'm not one of the primary contributors to the KMIP work. I'd like it to be ready before the end of the Kilo timeframe.
20:28:41 <woodster_> My only other comment was that if only project KEKs are stored in the HSM, reaperhulk address that via a MEK based approach that stores the MEK-wrapped project KEKs outside the HSM, in Barbican
20:28:46 <hyakuhei> woodster_: Where can I read more about Pauls approach to things?
20:29:28 <atiwari> hyakuhei, #link https://review.openstack.org/#/c/107775/4/specs/juno/restructure-pkcs11-plugin.rst
20:29:40 <hyakuhei> I think as of last week the basic model was CRUD for KEK all within HSM, DEKs stored by Barbican, wrapped by KEK as a HSM operation
20:29:48 <redrobot> hyakuhei http://specs.openstack.org/openstack/barbican-specs/specs/juno/restructure-pkcs11-plugin.html
20:29:49 <woodster_> well, we are working on a presentation for it in Paris :) But the basic doe is here: #link https://github.com/openstack/barbican/blob/master/barbican/plugin/crypto/p11_crypto.py
20:30:05 <atiwari> this is pkcs11 plugin in using MEK from HSM
20:30:36 <woodster_> yep, so the only thing stored in the HSM is a single MEK and a HMAK key
20:30:38 <hyakuhei> So my personal feeling is that you should have more scalable HSM resource, MKEK seems like a degredation
20:31:12 <hyakuhei> As in the event of a point-in-time compromise of Barbican you now have resident unwrapped KEK and DEK
20:31:16 <atiwari> hyakuhei, I think we need to clean #link https://review.openstack.org/#/c/114580/4/specs/juno/hp-eskm-plugin.rst
20:31:28 <woodster_> hyakuhei, perhaps, but if you wish to store 100k's of KEKs in the HSM, you run into issues with hardware availablity
20:31:45 <atiwari> as per this, it seems we are storing everything in ESKM .
20:31:47 <hyakuhei> Depends on your hardware
20:32:01 <hyakuhei> I mean, the HSM's we use store 2M keys
20:32:01 <atiwari> sorry If I am missing something
20:32:36 <hyakuhei> Maybe you should choose an appropriate HSM for load in the same way that you choose an appropriate chasis for compute
20:32:45 <woodster_> hyakuhei, my only point in bringing this up was if you KMIP issue was one of limited resources in the HSM.
20:32:48 <hyakuhei> At the very least both modes of operation should be supported
20:33:04 <hyakuhei> Sure I get that, I don't think that's the problem
20:33:32 <hyakuhei> In fact one thing I wanted to add to barbican at some point soon was the ability to indicate where a key was stored (ie which HSM) if that wasn't already there
20:33:39 <woodster_> hyakuhei, ok thanks for the clarification
20:34:06 <rellerreller> hyakuhei I like that idea
20:34:27 <atiwari> hyakuhei, woodster_, fyi I was proposing MEK approach with ESKM
20:34:31 <hyakuhei> To my mind that's how you scale without compromising key handling
20:34:50 <hyakuhei> I'm open to several approaches though, it's not a one size fits all kinda thing
20:34:51 <atiwari> something in same line as Paul's work
20:34:51 <redrobot> hyakuhei I'm still not sure what you mean by scaling
20:35:05 <alee> hyakuhei, rellerreller don't we already  have a mechanism to indicate which hsm stored a key by using the secret metadata?
20:35:09 <hyakuhei> where num KEK > HSM capacity
20:35:22 <hyakuhei> alee: I'm not sure, it's on my list of things to check
20:35:58 <rellerreller> alee I thought he was talking about exposing that to the external API, so you could call store key and store it using this particular secret store.
20:36:17 <redrobot> hyakuhei so, upon reaching capacity in one HSM you'd have to add another HSM to provide additional storage?
20:36:34 <rellerreller> alee The DB does store which secret store saved the key afaik
20:36:44 <hyakuhei> redrobot: That would be the same way that everything else works - everything has limited capacity.
20:37:09 <rellerreller> alee that is how we know which secret store to call to retrieve the key
20:37:19 <alee> rellerreller, right -- otherwise you would not know where to go to retrieve it
20:37:39 <hyakuhei> It's a risk managed decision if you want to offset the cost of adding more HSM against going down a MKEK route
20:37:53 <hyakuhei> However, I feel this is probably a discussion for next week
20:38:08 <alee> rellerreller, but if there is some kind of load/capacity decisions that need to be made, I'll not sure that should be exposed above the secret_store level ..
20:38:15 <hyakuhei> Fun as it is conversing at three sentences a minute it can be hard to keep track.
20:38:21 <redrobot> hyakuhei I see.  Not sure how much cost would factor into such a scenario.   We've found that the HSMs we're using have a very small capacity.  To add HSMs to add capacity would be prohibitively expensive.
20:38:47 <alee> rellerreller, how and why would the client have to know about which hsm to go to?
20:38:50 <redrobot> hyakuhei I agree :)
20:38:53 <hyakuhei> redrobot: Like I said, the ones we use today manage 2k keys
20:39:01 <hyakuhei> sorry, 2m keys :P
20:39:12 <hyakuhei> but they _are_ expensive.
20:39:48 <hyakuhei> real crypto security often is, I seem to remember us basically having the inverse argument lastweek
20:39:49 <rellerreller> alee It could be interesting for user to say store a key, and I want it to be stored using this provider. Perhaps I have a requirement to store things in KMIP and not other types of secret stores.
20:39:54 <atiwari> alee, I think if that are multiple HSM, you have to maintain the reference in secret .
20:40:21 <rellerreller> alee Perhaps not identify individaul secret store but secret store type
20:40:30 <hyakuhei> Yeah
20:41:07 <alee> hyakuhei, rellerreller ok - that makes sense -- I've proposed something similar for cert issuance.
20:41:25 <rellerreller> alee Yes, it is the same concept as that.
20:42:13 <alee> ok
20:42:15 <woodster_> hmmm....warning, API changes ahead :)  Well, additions anyway
20:42:29 <redrobot> yeah, will definitely be a fun week next week :)
20:42:40 <redrobot> so I guess we can table this until Paris.
20:42:48 <hyakuhei> I'm worried that we'll end up with a one size fits all here if we're not careful. If Paul's suggestion is the one I think it is, where secrets are stored in Barbican but most of the operations happen in the HSM then I think you'll still run into scale issues
20:42:56 <hyakuhei> Anyway, yes, table it
20:43:24 <redrobot> ok, moving on.
20:43:31 <redrobot> #topic Barbican T-Shirts
20:43:45 <hyakuhei> Finally something important ;)
20:43:56 <redrobot> so on a lighter topic, we _finally_ printed the shirts we promised during the mid-cycle
20:43:57 <atiwari> +1
20:43:59 <alee> hyakuhei, thats roughly how dogtag solves this problem -- and its scaled just fine for millions of secrets
20:44:44 <hyakuhei> alee my concern is that people buy the cheapest smallest HSM and watch it struggle with all the operations required. It's not the number of secrets its the number of crypto operations per second
20:44:54 <redrobot> so, if I promised you a T-Shirt at the mid-cycle, please let me know your size
20:44:57 <hyakuhei> anyway, t-shirts
20:45:08 <hyakuhei> redrobot: are they amazing?
20:45:18 <redrobot> hyakuhei yes, HSM throughput is definitely a concern for us
20:45:22 <alee> redrobot, do I get a t-shirt?  I was there remotely ..
20:45:24 <redrobot> hyakuhei and yes, they're amazing :)
20:45:34 <redrobot> alee indeed :)
20:45:45 <atiwari> redrobot, can I?
20:45:56 <hyakuhei> I wasn't around for the tshirt discussion - I think I'll make my own, the design is OpenSource I assume :P
20:46:00 <rellerreller> I don't remember anything about t-shirts. What a pleasant surprise.
20:46:01 <alee> redrobot, at least there was a massive projector sized image of me in the room.  larger than life in fact.
20:46:31 <redrobot> hyakuhei yep... hopefully vague enough to not get sued by the foundation.
20:46:48 <hyakuhei> redrobot: Man, I remember the hastle we had trying to get a logo for the OSSG.
20:47:09 <hyakuhei> Perhaps better to beg forgiveness than permission... someone might say.
20:47:45 <redrobot> atiwari yep, we should have a few extras... we'll be bringing them to Paris.
20:47:58 <atiwari> redrobot, thanks
20:48:15 <redrobot> Ok, that's all I have on the agenda for today.
20:48:21 <redrobot> Looking forward to seeing everyone in Paris.
20:48:38 <alee> redrobot, hey. do we have barbican stickers?
20:48:41 <hyakuhei> Me too!
20:49:12 <redrobot> alee no stickers yet.  maybe next time we get swag in the budget.
20:49:19 <woodster_> barbican HSM keychains for all!
20:49:37 <alee> ah well :)
20:49:54 <woodster_> we'll ask for a bigger budget next summit
20:50:15 <hyakuhei> woodster_: some of these? https://www.yubico.com/products/yubihsm/
20:50:45 <woodster_> yeah, those would be nice! We'll trade you t-shirts for those :)
20:50:50 <redrobot> hyakuhei yes!  With barbican logos.
20:51:09 <hyakuhei> That would be awesome
20:52:11 <redrobot> See y'all next week!
20:52:14 <redrobot> #endmeeting