#openstack-barbican log

13:00:08 <redrobot> #startmeeting barbican
13:00:09 <openstack> Meeting started Tue Aug 27 13:00:08 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:12 <openstack> The meeting name has been set to 'barbican'
13:00:17 <moguimar> yololo
13:00:22 <redrobot> #topic Roll Call
13:00:36 <redrobot> Courtesy ping for ade_lee hrybacki jamespage Luzi lxkong raildo rm_work xek
13:00:57 <Luzi> o/
13:01:10 <redrobot> As usual our agenda can be found here:
13:01:22 <redrobot> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
13:01:41 <redrobot> Luzi, moguimar, you guys are the best for always being here! :D
13:01:52 <redrobot> #topic Review Past Meeting Action Items
13:01:59 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-08-20-13.00.html
13:02:00 <moguimar> ¯\_(ツ)_/¯
13:02:13 <redrobot> I did not get a chance to do all the things I wanted to this week. :(
13:02:22 <redrobot> So I'm kicking the can down the road
13:02:33 <redrobot> redrobot to document the feature gap between python-barbicanclient and openstacksdk (4)
13:02:43 <redrobot> #action redrobot to document the feature gap between python-barbicanclient and openstacksdk (4)
13:02:55 <redrobot> #action redrobot to ask boss for some time to get a barbican-ui POC (1)
13:02:58 <mhen> o/
13:03:05 <redrobot> #action redrobot to review octavia's how-to for uploading certs
13:03:27 <redrobot> #undo
13:03:28 <openstack> Removing item from minutes: #action redrobot to review octavia's how-to for uploading certs
13:03:39 <redrobot> #action redrobot to review octavia's how-to for uploading certs (1)
13:03:56 <redrobot> #action redrobot to check if secret types can be changed after upload (1)
13:04:09 <redrobot> I use the parentheses to remind myself how many times we've bumped this.
13:04:13 <redrobot> ok, moving on
13:04:23 <redrobot> #topic Liaison Updates
13:04:32 <redrobot> moguimar, any updates from Oslo / Castellan ?
13:04:36 <moguimar> none
13:04:53 <redrobot> cool beans
13:04:56 <redrobot> moving on
13:05:08 <redrobot> I don't have anything on the agenda
13:05:13 <redrobot> are there things y'all want to talk about?
13:06:21 <Luzi> actually just something small
13:07:15 <Luzi> we discovered simple_crypto is using fernet with aes128 for kek-crypto-operations, is that right?
13:07:56 <mhen> #link https://github.com/openstack/barbican/blob/bf95c37b84688c99bda0849230508d955fc62f82/barbican/plugin/crypto/simple_crypto.py#L100
13:08:04 <redrobot> Hmmm... not sure I haven't looked at it in a while.
13:08:24 <redrobot> oh, yep, that's fernet for sure.
13:08:36 <redrobot> although the 128 is just metadata
13:08:56 <redrobot> I don't think that's actually being used in the Fernet function
13:09:07 <redrobot> #topic Open Discussion
13:09:45 <redrobot> obviously 'AES-CBC-128' != Fernet
13:10:05 <mhen> #link https://cryptography.io/en/latest/fernet/#implementation
13:10:37 <mhen> Barbican uses Fernet implementation from cryptography
13:10:56 <mhen> and it seems to be limited to AES128
13:12:13 <mhen> the Fernet spec doesn't include 192 or 256 actually as it seems abandoned - there is a 2 years old pull request adding those modes
13:12:19 <mhen> #link https://github.com/fernet/spec/pull/17
13:14:59 <redrobot> Well, that's a bummer
13:15:19 <mhen> I found a quote in Keystone's presentation about their new JWS tokens:
13:15:30 <mhen> "[Fernet] is not really being super supported / used that much anywhere but in Keystone and that was a warning sign [...]"
13:15:42 <rm_work> o/
13:15:44 <mhen> #link https://youtu.be/zxsrkABzwOg?t=500
13:15:59 <rm_work> bit late but don't have anything to add really lol
13:16:09 * redrobot waves at rm_work
13:16:44 <mhen> I understand that simple_crypto is not supposed to be used for production environments
13:18:46 <mhen> does this justify it being based on an old, abandoned crypto spec with no broad usage and open issues though ...
13:20:19 <redrobot> mhen, you bring up a good point
13:20:29 <redrobot> we can certainly improve the simple_cyrpto plugin
13:20:46 <redrobot> the tricky part will be handling upgrades from an old simple_crypto to an enhanced one.
13:21:24 <redrobot> mhen, do you want to file a bug against Barbican in storyboard
13:21:28 <redrobot> ?\
13:21:51 <mhen> sure
13:22:32 <redrobot> #action mhen to file a bug about simple_crypto using an outdated encryption mechanism (Fernet)
13:23:36 <redrobot> cool beans
13:23:43 <redrobot> any other topics we should talk about?
13:24:08 <Luzi> not from my side
13:24:29 <mhen> neither from mine :)
13:24:41 <redrobot> alrighty, I think we're done for today then
13:24:42 <moguimar> add comments to secret consumers review =D
13:24:48 <moguimar> just that
13:24:59 <redrobot> moguimar, you've got it!
13:25:05 <redrobot> thanks for coming, everyone!
13:25:11 <redrobot> #endmeeting