20:00:01 <redrobot> #startmeeting barbican 20:00:02 <openstack> Meeting started Mon Nov 10 20:00:01 2014 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:06 <openstack> The meeting name has been set to 'barbican' 20:00:20 <redrobot> Welcome back Barbicaneers! 20:00:42 <redrobot> As usual the agenda can be found here: 20:00:45 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:00:48 <redrobot> #topic Roll Call 20:01:07 <redrobot> I'm actually not expecting very many people to show today. 20:01:10 <SheenaG1> o/ 20:01:22 <redrobot> You rock SheenaG1 !! :) 20:01:59 <alee> o/ 20:02:11 <SheenaG1> redrobot: can't let you have this meeting all by your lonesome! 20:02:25 <redrobot> good to see you made it home ok alee 20:02:39 <redrobot> I think it's just the three of us today, so it should be a quick meeting 20:02:58 <alee> redrobot, stil a little jet lagged - and I missed my connection - so it was a long delay in lovely detroit 20:03:18 <alee> looks like rellerreller made it back too. 20:03:24 <SheenaG1> alee: who wouldn't want to visit Detroit? 20:03:24 <rellerreller> Is there a meeting today? 20:03:26 <redrobot> alee heh... I missed my flight out of Paris >_< 20:03:33 <redrobot> rellerreller yeah, should be a short one though 20:03:41 <redrobot> #topic New Core Reviewers 20:04:08 <alee> redrobot, I think rellerreller and I have already +1'ed 20:04:08 <redrobot> First, let's cover the nomination for Steve Heyman 20:04:13 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2014-November/049852.html 20:04:52 <redrobot> Yeah, I counted 6 x +1, and since it's been five days of open voting, I'm calling it a Yes for Steve. I will add Steve to barbican-core after the meeting. 20:05:37 <redrobot> Next, we have the nomination for Juan Antonio Osorio Robles 20:05:40 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2014-November/049855.html 20:05:57 <alee> SheenaG1, I'm sure Detroit is lovely, I just have not made it past the airport (which is lovely too) 20:06:22 <rellerreller> Congratulations to Steve! 20:06:27 <redrobot> The vote count for Juan was also 6x +1, and with five days of open voting, I'm also calling this a Yes. 20:06:45 <redrobot> I will also be adding Juan to barbican-core after the meeting. 20:06:56 <alee> ditto for Juan 20:07:23 <redrobot> Congratulations to both Juan and Steve! I think they're both well deserved after all the review work they've been putting into the project. 20:07:32 <redrobot> even if they didn't make it to today's meeting. 20:08:16 <redrobot> Ok, moving on 20:08:21 <redrobot> #topic RFC 7030 20:08:25 <redrobot> #link https://tools.ietf.org/html/rfc7030 20:09:10 <alee> redrobot, I think we need more time to study this rfc and decide what to do with it. 20:09:11 <redrobot> For today, I just wanted to remind everyone to read through the RFC. We'll push discussion until next week's meeting to give everyone a chance to come back from OpenStack Summit and related vacations. 20:09:21 <redrobot> alee agreed. 20:09:30 <jaosorior> did it already start? O_O 20:09:59 <redrobot> jaosorior meeting? Yes. You missed the official announcement that we're adding you to barbican-core after the meeting. 20:10:06 <alee> jaosorior, yup - and you've been designated core -- felicitations! 20:10:10 <jaosorior> yay! :D 20:10:36 <jaosorior> http://weknowmemes.com/wp-content/uploads/2012/11/mexcellent.jpg 20:10:50 <redrobot> jaosorior lol 20:12:06 <redrobot> so, that's all that was on the agenda for today. 20:12:15 <redrobot> anyone have anything they'd like to bring up? 20:12:20 <redrobot> if not we can call the meeting early. 20:12:33 <jaosorior> well, did the guys interested in implementing the RFC7030 show up? 20:13:02 <redrobot> jaosorior I don't think so. I just wanted to remind everyone to read the RFC. Lots of peeps are still on vacation or making their way back from Paris. 20:13:10 <jaosorior> oh, alright 20:13:18 <jaosorior> I was hurrying to finish reading it :P 20:13:25 <alee> jaosorior, its a little early I think. we talked about perhaps meeting with them after the next brabican meeting next week. 20:13:51 <hyakuhei> Hey @all, didn't realise the weekly was running today? 20:14:10 <hyakuhei> Sorry, no question there - just erm, hi :) 20:14:18 <redrobot> hyakuhei hi! 20:14:19 <jaosorior> yo, whattup 20:14:24 <alee> jaosorior, its going to take some thought -- even if we decide its a good idea - we need to figure out when we'd want to implement it 20:14:48 <alee> given that we should be trying to stabilize the api. 20:15:07 <hyakuhei> Where's the best description of how transport keys work (other than the code)? I'm not sure they work how I think they work 20:15:10 <jaosorior> that's correct. Although if I remember correctly they had offered to implement it 20:15:29 <jaosorior> and on the other hand, the API as proposed by the RFC would end up being separate from the one we are using now 20:15:39 <alee> hyakuhei, well the code is in the server side - but not in the client side yet 20:15:49 <alee> hyakuhei, I need to implement that soon. 20:15:51 <jaosorior> (even URI-wise it would have a separate path) 20:15:54 <hyakuhei> ah ok, there isn't a spec for it I believe? 20:16:12 <alee> hyakuhei, there is -- let me see .. 20:16:34 <hyakuhei> Because when we were talking about pre-encryption and the different approaches, the asymmetric system I was imagining kinda sounded exactly the same as how I think transport keys would work 20:16:41 <hyakuhei> So some part of my thinking is broken :P 20:16:45 <hyakuhei> yo tkelsey ! 20:16:47 <redrobot> hyakuhei http://specs.openstack.org/openstack/barbican-specs/specs/juno/add-wrapping-key-to-barbican-server.html 20:16:48 <tkelsey> hey all, sorry im late # 20:17:02 <alee> redrobot, thanks :) 20:17:22 <alee> hyakuhei, right - pre-encryption and transport keys are two separate features 20:17:47 <hyakuhei> alee: Yup, but I'm not 100% sure on the details of either :P 20:18:10 <hyakuhei> Thanks for the link redrobot 20:18:14 <alee> hyakuhei, sure - read the specs and let me know if you have questions 20:18:20 <hyakuhei> will do 20:18:30 <alee> (and be sure to comment) 20:19:07 <redrobot> hyakuhei you're welcome... even if y'all totally hijacked the meeting topic. :-P 20:19:34 <alee> redrobot, so yeah - in general - just a reminder for folks to read the outstanding specs -- so we can start getting to work .. 20:19:59 <redrobot> #topic Kilo Specs 20:20:18 <redrobot> #link https://review.openstack.org/#/q/status:open+project:openstack/barbican-specs,n,z 20:20:32 <alee> redrobot, we probably need to enumerate any additional specs that came out of the summit 20:20:51 <alee> rellerreller, you going to write the "content-type" one ? :) 20:21:11 <rellerreller> I can write it 20:21:18 <redrobot> and here I thought it was going to be a short meeting... hehe 20:21:26 <alee> awesome 20:21:32 <redrobot> I think I was on the hook for writing the Active Plugin spec? 20:21:39 <rellerreller> Do we need a spec for a such a short commit? It will mostly be documentation. 20:22:35 <alee> rellerreller, depending on what we decide is the right version of PEM, it could be more than just documentation 20:22:59 <rellerreller> alee good point 20:23:00 <alee> though I'm in favor of keeping what we have (assuming its the same) 20:23:30 <alee> rellerreller, its worth putting in a spec - so we dont rehash all this next summit 20:24:17 <redrobot> #action rellerreller to write spec for content-types 20:24:35 <alee> redrobot, sounds good to me about the active plugin spec. 20:24:38 <redrobot> #action rellerreller to write spec for Active SecretStore 20:24:43 <redrobot> derp 20:24:56 <redrobot> #action redrobot to write spec for Active SecretStore 20:25:16 <alee> is there a spec for the tpm stuff? 20:26:09 <rellerreller> alee I have not seen one in Barbican, but I did see one in another project 20:26:44 <alee> redrobot, you might want to contact malini and figure out where all that is .. 20:26:54 <alee> rellerreller, link? 20:27:23 <rellerreller> One second 20:27:48 <alee> redrobot, I need to revise my spec for per-secret policy based on what we decided at the summit 20:28:17 <rellerreller> alee I cannot find it at the moment. I will have to post a link later. 20:28:18 <redrobot> #action alee to update ACL policy spec 20:28:27 <alee> cool 20:29:03 <redrobot> alee trying to remember what the TPM stuff was? ... 20:29:53 <alee> redrobot, malini et al hd made changes to barbican and other projects to accept a TPM quote and use that to determine if someone was authorized to get a secret 20:29:58 <rellerreller> The TPM stuff is to add hooks to allow attestation protocols to run before releasing the keys. 20:30:29 <redrobot> I see... OK, I'll ping Malini about that 20:30:47 <rellerreller> It runs the Open Attestation protocol to get a TPM quote and then verifies it. In theory it can do more than just a TPM quote, but that is all in the first release. 20:30:53 <redrobot> #action redrobot to contact Malini to figure out the loctaion of TPM work 20:30:54 <alee> my guess is that this involves some kind of middleware module that that runs before barbican - and it would also tie in neatly with the per-secret acls. 20:31:05 <hyakuhei> Interested in the TPM work too 20:32:25 <alee> redrobot, on my flight home, I did run into some O-O-O folks interested in using barbican to get certs. I'll see if I can follow up with them. 20:32:35 <alee> also the Sahara folks. 20:33:06 <alee> are there any other missing specs? 20:33:11 <redrobot> alee nice. 20:33:45 <redrobot> alee looking at https://etherpad.openstack.org/p/barbican-kilo-roadmap to see if we missed anything 20:34:23 <redrobot> Ah yes, the Tenant->Secret association. 20:34:40 <alee> redrobot, yeah - we agreed to axe it. 20:34:53 <redrobot> I think woodster wanted to tackle that 20:35:02 <redrobot> will ping him about that when he comes back next week 20:35:06 <alee> redrobot, ok 20:35:34 <redrobot> Also, we still need a name for the KeyManager repo 20:35:45 <alee> whats a spike? 20:35:54 <hyakuhei> I thought keymanager was moving into barbican-client? 20:36:15 <redrobot> alee short for Research Spike... basically spend some time to research and figure out best course of action. 20:36:32 <tkelsey> alee I only know a spike in the context of scrum 20:36:48 <redrobot> hyakuhei the implementation will be in barbicanclient. The interface will live in its own repo though. 20:37:05 <redrobot> hyakuhei that way people not using barbican don't have to take on the barbicanclient dependency 20:37:25 <hyakuhei> Righto, makes sense. 20:37:35 <alee> ok - we discussed also a generic discovery api with json schema 20:38:04 <alee> with barbican-core doing validation based on that schema -- that needs investigation 20:38:13 <alee> and blueprints/specs 20:40:16 <alee> tkelsey, being a former physicist, I only know of spikes in the context of dirac delta functions .. 20:40:27 <jaosorior> you mean discovery such as in keystone? 20:41:01 <redrobot> jaosorior the idea was to have an API that will let you discover how many CAs can provision certificates for a particular Barbican instance 20:41:07 <alee> jaosorior, discovery as in presenting which algorithms , bit lengths etc. a plugin supports 20:41:19 <jaosorior> alright 20:41:29 <redrobot> jaosorior and also discover properties about that CA, like whether it's internal or global, etc. 20:41:30 <tkelsey> alee sounds much more interesting. In scrum a spike is a research task with no actual deliverable other than learning 20:42:31 <alee> redrobot, there are two discovery ideas here - one on which ca's are avilabale -- 20:42:43 <alee> and one on which algorithms, patramters etc. are needed 20:43:02 <alee> redrobot, ca-discovery has been approved and has a spec .. 20:43:24 <alee> https://review.openstack.org/129048 20:43:33 <alee> (which needs more reviewers) 20:44:19 <alee> redrobot, general capability discovery needs a spec for secret stroe type functions, but also has a spec for ca type functions 20:44:42 <hyakuhei> I'll take a look at the spec 20:44:45 <alee> https://review.openstack.org/129377 20:44:53 <alee> hyakuhei, cool thanks 20:45:56 * redrobot needs to lock himself in a room and just review specs for a couple of days 20:46:04 <hyakuhei> +1000 20:46:07 <hyakuhei> Need more days. 20:46:40 <alee> redrobot, excellent idea :) 20:46:41 <tkelsey> lol 20:50:17 <redrobot> yep, lots of work to do guys... Our folks should start trickling back from the Summit over the next few days 20:50:26 <redrobot> I'll get my cattle prod ready and see if I can get them to review specs 20:51:09 <redrobot> I think we have enough todos to keep us busy until next week. 20:51:13 <hyakuhei> redrobot: email me anything you want reviewing as a priority and I'll weild my might +/-1 ... 20:51:15 <redrobot> Any last minute comments/concerns? 20:51:24 <hyakuhei> *mighty 20:52:09 <redrobot> hyakuhei thanks! will do. 20:52:19 <hyakuhei> So it might be worth flagging up the swift encryption stuff 20:52:34 <hyakuhei> As not directly barbican, lots of learned people here might have opinions on it 20:52:45 <hyakuhei> Not that it's short of opinions already... 20:52:52 <redrobot> hyakuhei true, do you have any links handy? 20:52:53 <hyakuhei> #link https://review.openstack.org/#/c/123220/ 20:53:42 <redrobot> hyakuhei thanks 20:53:53 <hyakuhei> np 20:56:10 <redrobot> Alrighty guys, thanks for coming to the meeting. See you all next week. 20:56:47 <redrobot> #endmeeting