#openstack-barbican log

12:02:04 <alee> #startmeeting barbican
12:02:05 <openstack> Meeting started Tue Jul 10 12:02:04 2018 UTC and is due to finish in 60 minutes.  The chair is alee. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:02:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:02:08 <openstack> The meeting name has been set to 'barbican'
12:02:15 <alee> #topic roll call
12:02:43 <Luzi> o/
12:02:47 <mhen> o/
12:02:53 <alee> Luzi, mhen hi
12:03:01 <Luzi> hi alee
12:03:24 <alee> anyone else here today?
12:04:07 <alee> there are a lot of folks that have been on holiday last week and this week
12:04:30 <alee> so not much has changed in the last week
12:04:54 <alee> I expect things will pick up more with reviews etc. this week.
12:05:46 <alee> given that - I don't really have much of an agenda today other than to remind folks about the submission requuest deadline for the summit for talks
12:06:19 <alee> Luzi, mhen  -- anything you guys want to bring up?
12:07:47 <Luzi> ah i just wanted to ask, if there was any discussion concerning the allowed bit lengths?
12:08:12 <alee> yeah - everyone has been on holiday -- so alas no
12:08:38 <Luzi> okay
12:08:40 <alee> folks are coming back this week so I think we'll have discussion later this week
12:09:26 <alee> Luzi, either way - we'll definitely get a fix in in Rocky
12:09:59 <Luzi> alee, i just wanted to know, if i missed something :)
12:10:02 <Luzi> we have another question: should there be a validation of user provided secrets and their meta-data?
12:10:24 <alee> what kind of validation?
12:10:38 <Luzi> 2 possibilities:
12:11:01 <Luzi> 1. a validation of the combination of meta-data
12:11:25 <Luzi> for example: aes - private key
12:12:00 <Luzi> that is not a valid combination of meta-data
12:12:39 <Luzi> 2. a check of secrets against their meta-data (maybe through validator plugins?)
12:13:33 <alee> if I recall correctly, there is some validation that is in place
12:13:49 <alee> but its rather rudimentary
12:14:15 <Luzi> can you point it out for us?
12:14:51 <alee> Luzi, yup -- let me check --
12:15:21 <alee> Luzi, what I recall though is there is not a lot there -- certainly its an area that could be improved
12:16:35 <Luzi> besides this: it is a question, if in general barbican should do things like that or not.
12:18:25 <alee> Luzi, so looking through the code, it looks like that type of validation is not there
12:19:07 <alee> I'm not opposed to adding the validation - and having some kind of validation plugin for folks to add their own is an interesting idea
12:19:25 <alee> we just have not have had a request for that yet.
12:19:53 <alee> often there is validation that takes place in the backend plugins
12:20:19 <Luzi> well that's a word :) we can investigate this a little more ...
12:20:38 <alee> for instance some hsms/ kmip devices will fail to archive something if the metadata is bad
12:21:04 <alee> but it would be nice to do some basic validations in barbican before it gets to that point
12:21:24 <alee> we do validate that the fields are correct, but not perhaps the content
12:21:56 <alee> Luzi, if you guys would like to add some validation code, it will certainly be welcome
12:22:03 <alee> raildo, hiu
12:22:15 <raildo> alee, o/
12:22:16 <Luzi> alee, we had thought about a user wanting to upload and use a private key, but accidently providing the public key. so in that case the meta-data and the seret would differ and could not be used for encryption anymore
12:22:43 <alee> Luzi, seems like a reasonable use case
12:23:02 <Luzi> alee, that's a word :)
12:23:22 <alee> Luzi, need to look - I thought there was some validation for some of that
12:24:01 <alee> I 'll poke around for a bit
12:25:22 <alee> Luzi, iirc -- the code is in common/validators.py
12:26:17 <Luzi> alee, i take a look into this
12:26:32 <alee> Luzi, you can see what validators are in there -- that would be the place to expand on them
12:26:41 <alee> anything else?
12:27:24 <alee> Luzi, all good?
12:27:51 <Luzi> that was everything from my side
12:28:20 <alee> cool thanks all for attending.  hopefully more will happen this week as folks come back
12:28:27 <alee> #endmeeting