#openstack-barbican log

12:00:28 <alee> #startmeeting barbican
12:00:29 <openstack> Meeting started Tue Jul  3 12:00:28 2018 UTC and is due to finish in 60 minutes.  The chair is alee. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:30 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:33 <openstack> The meeting name has been set to 'barbican'
12:00:42 <alee> #topic roll call
12:01:19 <alee> anyone here -- I realize this is a big week for holidays ..
12:01:21 <alee> ?
12:01:23 <Luzi> o/
12:01:26 <mhen> o/
12:01:36 <alee> hi Luzi mhen
12:02:17 <alee> we'll wait a couple of minutes for other folks to join ..
12:02:41 <Luzi> hi alee - is redrobot here today?
12:02:54 <alee> I think he's on PTO this week
12:03:02 <alee> (holiday)
12:03:33 <alee> given that tommorow is July 4th, many folks in the US are taking holidays
12:03:53 <alee> (I would be - but I've been on holiday for the last two weeks)
12:04:16 <Luzi> ah I see
12:04:34 <alee> ok - lets get started
12:05:01 <alee> I dont have much of an agenda this week. still getting caught up.
12:05:13 <alee> we're still marching on to get all the rocky features in
12:05:32 <alee> in particular the OVO feature
12:05:51 <mhen> OVO?
12:06:00 <alee> I've done a ton of reviews and need other core (who are all on vacation) to do some as well
12:06:08 <alee> oslo versioned objects
12:06:16 <mhen> ah I see
12:07:05 <alee> here is tracker page for rocky -- https://etherpad.openstack.org/p/barbican-tracker-rocky
12:07:37 <alee> in addition there is work ongoing to document policy in code and make some policy more consisitent
12:07:56 <alee> and some additional work to get the vault plugin tests running
12:08:44 <alee> not much more to report here except that there is a bunch to review and to do before rocky comes out
12:08:56 <mhen> "SGX plugin" - sounds interesting
12:08:58 <alee> next milestone is week of July 23
12:09:14 <mhen> is there any spec or PoC regarding that already?
12:09:34 <alee> mhen, yeah - the Intel folks worked on a plugin for SGX which they got working ..
12:09:47 <alee> and they wrote a whitepaper
12:09:58 <alee> some folks here have tried it out
12:10:03 <mhen> do you happen to have any links to that?
12:10:05 <alee> let me get link ..
12:10:49 <alee> https://arxiv.org/abs/1712.07694
12:10:56 <alee> hey raildo
12:11:07 <mhen> thank you very much
12:11:14 <raildo> hey :)
12:11:21 <Luzi> hi raildo
12:11:35 <alee> https://github.com/cloud-security-research/sgx-kms/tree/master/Barbican
12:11:52 <raildo> hello everyone!
12:12:11 <mhen> welcome :)
12:12:14 <alee> they have some good work there including some barbican changes to do attestation
12:12:25 <alee> but have not tried to upstream any of it yet.
12:12:54 <alee> if anyone is interested in working on that -- that would be a great addition for Stein
12:13:22 <mhen> no promises yet but it could be relevant for our project - we'll have a look at it
12:14:08 <alee> there is another company called Fortanix which has built a solution based on SGX, which has used the pkcs11 plugin to work with their solution
12:14:23 <alee> they are going to write a gate soon
12:14:32 <alee> mhen, that would be great
12:14:51 <alee> #topic summit
12:15:21 <alee> the deadline for submissions for the Berlin summit is fast approaching
12:15:27 <alee> July 13 IIRC
12:15:37 <Luzi> i thought 17
12:15:44 <alee> so any barbican related topics would be great ..
12:15:50 <Luzi> July 17th or am I wrong?
12:16:15 <alee> no  I stand corrected
12:16:37 <alee> July 17th -- I think I was confused by some internal deadline here
12:16:55 <alee> anyone have any ideas of barbican related talks?
12:17:06 <alee> barbican/security?
12:17:57 * mhen shrugs
12:18:39 <alee> I'm probably going to propose something related to the vault backend work I've been wokring on
12:18:47 <alee> not fleshed out yet
12:19:06 <raildo> alee, that would be awesome
12:19:34 <alee> raildo, I assume you'll be doing something about the oslo.config work?
12:20:17 <raildo> alee, are you saying about proposing something to the Summit, or just about the development?
12:20:27 <alee> raildo, summit
12:20:37 <alee> (I know you're doing the development)
12:21:05 <raildo> alee, well, probably, I'll skip this summit and maybe propose something for the next one, when we'll have some more mature
12:21:12 <raildo> alee, using the castellan driver and so on
12:21:20 <alee> ok
12:21:33 <alee> well just to keep deadline in mind
12:21:40 <raildo> I'd rather do something showing that working, than just "this is the next steps"
12:21:48 <raildo> alee, sure, thanks!
12:21:48 <alee> ack
12:22:08 <alee> #topic castellan as base service
12:22:41 <alee> so for a long time, the TC has been pushing to have castellan added as a base service
12:22:51 <alee> and finally that change has merged ..
12:22:56 * alee finding review ..
12:22:57 <raildo> yay
12:23:29 <alee> https://review.openstack.org/#/c/572656/
12:24:21 <alee> so -- a castellan compatible service is now a base service - which means that developers should expect to use castellan to store secrets
12:24:56 <alee> hopefully this will drive the secure and centralized storage of secrets
12:25:05 <alee> either using vault or barbican
12:25:14 <mhen> this is great news!
12:25:29 <alee> yeah - took forever to get there :)
12:25:52 <alee> #topic anything else?
12:26:00 <mhen> o/
12:26:30 <mhen> there's also "PKCS#11 (against soft crypto)" on the etherpad you linked before - any details on that?
12:27:02 <alee> mhen, yeah - that was more aspirational -- nothing there
12:27:13 <mhen> what does "soft crypto" mean actually? software-emulated HSM?
12:27:19 <alee> yup
12:27:23 <mhen> I see
12:28:00 <mhen> something like Utimaco's simulator? https://hsm.utimaco.com/downloads/utimaco-portal/hsm-simulator/
12:28:06 <mhen> or something more abstract?
12:28:15 <alee> yes - smething like that
12:28:40 <mhen> but isn't PKCS11 already implemented?
12:29:04 <alee> mhen, yes - but the only tests for it have been against HSMs
12:29:24 <alee> mhen, and so there are no gates
12:29:52 <alee> mhen, it would be great to have a soft HSM gate -- also as an option for those who cant afford an HSM
12:30:01 <mhen> I see
12:30:14 <mhen> so we'd need a free HSM emulator/simulator I guess
12:30:17 <alee> of course, SGX fills that void too
12:30:45 <alee> right
12:31:07 <alee> and then we can create a gate job against that
12:31:50 <alee> mhen, PKCS11 is tricky -- every vendor has their own idiosyncracies
12:31:59 <alee> and then there are various versions
12:32:34 <alee> we had some patches submitted to update the pkcs11 version, but we unable to merge without good testing
12:33:47 <alee> mhen, Luzi - not sure if I've "met" you guys before.  can you do a brief intro and explain your interest in barbican?
12:34:18 <Luzi> mhen and i actually sit next to each other
12:34:25 <Luzi> we work in the same team
12:34:32 <mhen> that's right :)
12:34:56 <Luzi> i started attending this meeting 2 weeks ago, to discuss aes-xts bit lengths
12:35:27 <alee> Luzi, thats right -- I remember reviewing your patch the other day
12:35:30 <Luzi> we proposed a patch therefore, you already reviewed it.
12:35:49 <alee> cool
12:36:06 <alee> (I know you're name sounded familiar)
12:36:49 <mhen> our team is working on SecuStack, a security-enhanced OpenStack
12:37:24 <alee> Luzi, I want to get feedback from redrobot and other folks on how best to fix the issue you raised
12:38:06 <alee> mhen, cool - so using barbican for things like volume encryption and imge signing and swift object encrytion ?
12:38:09 <Luzi> that's a good thing to hear
12:38:21 <mhen> alee, exactly
12:38:44 <alee> also octavia stuff?
12:38:55 <alee> or magnum?
12:38:59 <mhen> not yet
12:39:12 <mhen> we're currently focusing on a minimal set of components
12:39:24 <alee> what backends are you guys looking at?
12:39:48 <mhen> alee, are you referring to Barbican backends?
12:39:52 <alee> yup
12:40:11 <alee> (I know you guys have been looking at SimpleCrypto :))
12:40:24 <mhen> we're currently evaluating the usage of a HSM, specifically one from Safenet
12:40:55 <alee> great
12:40:56 <mhen> but the SGX one sounds very interesting as well
12:41:11 <mhen> this is worth checking out
12:41:44 <alee> definitely.
12:42:03 <alee> well good to meet you guys - welcome aboard!
12:42:16 <mhen> thank you :)
12:42:22 <Luzi> thanks :)
12:42:27 <alee> anything else?
12:43:03 <alee> ok -- till next week then ..
12:43:11 <alee> #endmeeting