#openstack-barbican log

12:01:22 <redrobot> #startmeeting barbican
12:01:23 <openstack> Meeting started Tue Jun 19 12:01:22 2018 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:01:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:01:26 <openstack> The meeting name has been set to 'barbican'
12:01:32 <redrobot> #topic Roll Call
12:01:34 <redrobot> o/
12:01:42 <Luzi> o/
12:02:29 <redrobot> hi Luzi!
12:02:37 <Luzi> hi redrobot
12:02:42 <redrobot> Let's wait a couple of minutes to see if anyone shows up
12:02:57 <redrobot> I'm filling in for alee, as he is on vacation for a couple of weeks.
12:03:28 <Luzi> okay, I am relativly new in here :)
12:04:29 <redrobot> Here is the agenda link:
12:04:33 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
12:04:42 <redrobot> aaaand it looks like it hasn't been updated in ages.
12:04:48 <redrobot> so we're just going to wing it.
12:05:53 <redrobot> Ok, I don't think anyone else is coming...
12:05:57 <redrobot> #topic New Meeting Time
12:06:14 <Luzi> I like this new meeting time :D
12:06:41 <redrobot> I do too!
12:06:43 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2018-June/131509.html
12:07:07 <redrobot> link above is for the ML message.  Hopefully everyone saw it.  Just linking it here for folks who read the meeting minutes after the fact
12:07:50 <Luzi> maybe it should be updated here: http://eavesdrop.openstack.org/#Barbican_Meeting
12:08:02 <Luzi> i also did read the ML
12:09:14 <redrobot> Hmm..
12:09:20 <redrobot> Ade did send an update for that
12:09:22 <redrobot> #link https://review.openstack.org/#/c/576177/
12:09:37 <redrobot> it looks like it's merged, but for some reason the website didn't update
12:09:56 <redrobot> I can follow up with the infra team to figure out why the website didn't update with that patch.
12:10:14 <redrobot> #action redrobot to follow up with infra team regarding the meeting time change on the eavesdrop website
12:10:29 <redrobot> ok, moving on
12:10:36 <redrobot> #topic Castellan as a base service
12:11:27 <redrobot> Looks like the TC has a good proposal for adding a Castellan-compatible key store as a base service
12:11:30 <redrobot> #link https://review.openstack.org/#/c/572656/
12:11:38 <redrobot> I expect the current patch to be merged
12:11:54 <redrobot> although I don't remember of the top of my head how long the TC waits to merge these
12:14:03 <redrobot> Luzi, any questions about the Castellan base services patch?
12:14:10 * redrobot waves at raildo
12:14:12 <Luzi> no
12:14:20 <raildo> o/
12:14:27 <Luzi> hi raildo
12:14:53 <raildo> hey Luzi :) how you doing?
12:15:17 <redrobot> ok, moving on
12:16:04 <redrobot> #topic Code Reviews
12:16:06 <redrobot> #link https://review.openstack.org/#/q/project:openstack/barbican+status:open
12:16:19 <redrobot> looks like the next patch in the OVO series is ready for review
12:16:25 <redrobot> please take some time to look over it
12:17:02 <redrobot> #link https://review.openstack.org/#/q/project:openstack/python-barbicanclient+status:open
12:17:11 <redrobot> there's a few barbicanclient patches ready for review as well
12:17:31 * redrobot needs to figure out how to get a dashboard with all projects in a single page on gerrit
12:17:57 <redrobot> nothing new in castellan to review, so I won't link that
12:18:45 <redrobot> #topic Bug Triage
12:19:43 <redrobot> just a reminder that every project except for Castellan is being tracked on Storyboard
12:19:51 <redrobot> #link https://storyboard.openstack.org/#!/project_group/81
12:20:40 <redrobot> #link https://bugs.launchpad.net/castellan
12:20:46 <redrobot> I did add a new bug for Castellan
12:21:24 <redrobot> after talking to raildo and reading the proposed Castellan-keystore base service spec, I'm starting to think that we should probably do away with the credentials factory in Castellan
12:21:55 <redrobot> and instead update the Barbican backend to get its credentials directly from the conf like the Vault backend does now.
12:22:24 <redrobot> any thoughts on that?
12:23:18 * redrobot hears crickets
12:23:35 <raildo> well, imo the credentials factory make sense if it useful for the backends
12:24:20 <raildo> if we currently have 2 backend options, barbican/vault, and it's only useful for barbican, well, that would be a sign that we need to fix/improve that
12:24:46 <redrobot> the problem I see with it is that people are likely to continue to pass end-user oslo-contexts into the backends.  With the Barbican backend that has the side effect of making the user the owner of the secret, which is explicitly a bad thing if you read the Castellan-base-service proposal.
12:26:00 <redrobot> >>> Note that in the context of the base services set Castellan is intended only to provide an interface for services to interact with a key store, and it should not be treated as a means to proxy API calls from users to that key store.
12:26:35 <redrobot> We don't have to make a decision right now, but it's something to think about...
12:26:47 <raildo> I don't have a final position at this point yet :P
12:26:52 <redrobot> haha
12:26:54 <redrobot> good
12:27:00 <redrobot> ok, moving on
12:27:04 <redrobot> #topic Open Discussion
12:27:09 <redrobot> anything else y'all want to talk about?
12:27:26 <Luzi> aes xts 512
12:27:45 <raildo> nothing from my side
12:27:51 <redrobot> Luzi, what about it?
12:28:04 <Luzi> as far as i have read the code - barbican can only generate AES keys with a size of 256, right?
12:28:54 <Luzi> so when using aes xts the key is split, and a key with a size of 256 would only be effectiva as 128
12:29:47 <redrobot> Hmm... I can't remember off the top of my head.  What happens when you set the bit length in an order to 512?
12:30:03 <Luzi> barbican cannot generate it
12:30:12 <Luzi> it just doesn't work
12:30:23 <redrobot> lame.  seems like something Bbarbican should do
12:30:49 <redrobot> especially since aes keys of arbitrary lengths are easy to generate
12:30:51 <Luzi> exactly, when xts is choosen barbican should be able to generate 512 keys
12:31:05 <redrobot> Luzi, do you want to file a bug report and work on that?
12:31:11 <Luzi> I would like to try to contribute in that case
12:31:14 <Luzi> yes
12:31:18 <redrobot> awesome!
12:31:42 <redrobot> #action Luzi to add a story to Storyboard for adding AES 512 keys to barbican
12:31:50 <Luzi> but i am quite new, and it would be nice, to know how exactly storyboard works
12:32:52 <redrobot> you should be able to sign in with your Ubuntu One account
12:33:10 <redrobot> after that navigate to the Barbican project and add a new story
12:33:15 <Luzi> redrobot: what times are you here in IRC? so, when i have have questions i would come back here
12:33:22 <Luzi> okay, thank you
12:33:32 <redrobot> #link https://storyboard.openstack.org/#!/project/980
12:34:06 <redrobot> Luzi, ☝
12:34:50 <redrobot> Luzi, I'm typically on ~7am-5pm CST
12:34:58 <Luzi> thank you
12:35:01 <redrobot> I also have a bouncer set up, so I'm always listening
12:36:01 <redrobot> any other topics for Open Discussion?
12:37:14 <Luzi> not from my side
12:38:44 <redrobot> ok, let's call it a day, then.
12:39:16 <redrobot> we all get 20 minutes back 😄
12:39:26 <redrobot> #endmeeting