#openstack-meeting log

18:00:16 <bdpayne> #startmeeting OpenStack Security Group
18:00:17 <openstack> Meeting started Thu May 16 18:00:16 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:20 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:46 <bdpayne> hi everyone
18:00:52 <malini1> Greetings
18:00:53 <bdpayne> Bryan Payne from Nebula here
18:00:57 <bdpayne> who else do we have?
18:01:04 <noslzzp> Greetings..  Basil from Red Hat.
18:01:27 <malini1> Basil -- hope you did get some sleep!
18:01:46 <noslzzp> A bit!
18:01:51 <bdpayne> ha, nice
18:01:57 <bdpayne> ok, we'll get started
18:02:02 <bdpayne> I'm sure more will join as we go
18:02:10 <bdpayne> #topic Doc Sprint
18:02:32 <bdpayne> so we have dates locked in: June 24-28
18:02:41 * annegentle waves
18:02:41 <bdpayne> we have a location locked in (near BWI)
18:02:49 <bdpayne> hi annegentle
18:03:01 <annegentle> psyched for the doc sprint y'all!
18:03:23 <bdpayne> and we have about 12 people committed to participating
18:04:05 <bdpayne> noslzzp I'd like to explore getting a hotel block
18:04:24 <bdpayne> and we have some logistics to work our regarding food and such
18:04:24 <noslzzp> It's complicated. :)
18:04:30 <bdpayne> complicated?
18:05:19 <noslzzp> So, because we have a sponsor from the IC, the address is sensitive.
18:05:38 <bdpayne> heh
18:05:49 <noslzzp> The last meeting we had there, we didn't get final address details until late.
18:05:58 <bdpayne> well, people will need to book a hotel, right?
18:06:11 <noslzzp> I've asked Shawn to join here real quick.
18:06:17 <swells> noslzzp:  i'm here
18:06:19 <bdpayne> and we'd like to be as close to the site as possible… walking distance is ideal
18:07:12 <mtesauro> who is "the IC" - I missed the last meeting
18:07:23 <noslzzp> Ok.. So I've been the facility in mind.  And it's walking distance from 2-3 hotels.
18:07:32 <noslzzp> "IC" = intelligence community.
18:07:59 <noslzzp> The location is very good for us.  Good wifi, large room, quiet and decent restaurants.
18:08:10 <bdpayne> could we still get a block at one of those hotels and not disclose the actual meeting location until last minute?
18:08:46 <noslzzp> Give me 48 hours to get confirmation from our sponsor.  I'd like to keep protocol in place.
18:09:04 <bdpayne> fair enough
18:09:15 <bdpayne> we can discuss offline once you know more noslzzp
18:09:23 <noslzzp> Shawn is helping with the coordination.
18:09:45 <bdpayne> #action noslzzp / swells to confirm our ability to setup hotel block
18:09:57 <noslzzp> bdpayne, yes, offline as soon as we're fully cleared to share the address.
18:10:11 <noslzzp> Sorry this is so complicated. :)
18:10:24 <bdpayne> no problem
18:10:36 <bdpayne> I used to live in that world, I understand at a deeper level than I care to admit
18:10:46 <noslzzp> heh
18:11:19 <bdpayne> ok, so bottom line here is that logistics are starting to come together
18:11:29 <bdpayne> and we have a great team put together to do the guide
18:11:43 <bdpayne> any other things to discuss regarding the doc sprint?
18:12:20 <bdpayne> ok, we can move forward then
18:12:28 <bdpayne> #topic Ongoing Security Projects
18:12:47 <bdpayne> Anyone here that can provide an update on RPC security, key manager, and/or volume encryption work?
18:13:20 <joel-coffman> I can speak to the volume encryption work
18:13:30 <malini1> Key manager: malini
18:13:45 <bdpayne> joel-coffman let's start with you then
18:14:03 <joel-coffman> We expect to (re)submit our code in another couple of weeks
18:14:04 <mtesauro> I know key manager is actively being developed - I'm on the github and see the commit/pull requests/etc.
18:14:26 <joel-coffman> We're working to incorporate changes requested at the summit
18:15:00 <bdpayne> joel-coffman what can we expect from a functionality perspective from this new code submition?
18:15:44 <joel-coffman> The encryption part should be fully-functional
18:16:09 <bdpayne> without integration into a key manager?
18:16:13 <bdpayne> or with?
18:16:14 <joel-coffman> until the key manager is ready, I don't know how useful it will be in a deployed environment
18:16:27 <bdpayne> right, ok
18:16:54 <malini1> Key manager goal is to have enough in git by May 31 for joel-coffman to get a key and use
18:16:59 <joel-coffman> we aren't quite ready to integrate with the key manager yet
18:17:10 <joel-coffman> that timeline sounds about perfect
18:17:15 <malini1> key manger will support "put" secret, "get" secret
18:17:37 <bdpayne> joel-coffman if you put "SecurityImpact" in your git commit message for the PR, then it will automatically email the security list for review when your code goes up
18:17:50 <malini1> May 31 is Havana-1 deadline, and July 18 havana-2, meeting 1&2 ensures incubation success
18:18:04 <joel-coffman> okay
18:18:32 <bdpayne> sounds good, let us know if there's anything else the security group can do to help there
18:18:42 <bdpayne> malini1 any other details on the key manager work?
18:18:59 <malini1> I am working on keystone integration for key manager
18:19:11 <malini1> and it is coming along
18:19:48 <malini1> jarret from rackspace is working on a client, so slowly all the pieces are coming togeher
18:19:49 <bdpayne> is the architecture / design of the key manager with regards to keystone available anyware?
18:20:18 <malini1> yes, https://github.com/cloudkeep/barbican/wiki/_pages
18:20:36 <mtesauro> Malini - when you say client - do you mean the JS client?
18:21:01 <mtesauro> aka Palisade?
18:21:02 <malini1> the only piece I am not too thrilled is that the rackspace design has a notion of "order", which is asynch to create a key
18:21:32 <malini1> that fits in better for pki private/public and certificate, for a simple asymmetric key that feels like too much overhead
18:21:38 <mtesauro> I suspect that if for SSL cert mgmt.  That process has to be async if dealing with a third party CA
18:22:02 <malini1> the alternative is for the service wanting a secret key to just create it and "put" it into keymanager
18:22:40 <bdpayne> perhaps async is a reasonable first step?  with an optimization available for symmetric keys down the road?
18:22:43 <malini1> exactly, it is for ssl-cert management, but users such as cinder, swift etc are seeking symmetric keys
18:23:04 <malini1> yes, would like support for pitching a fast-pass for symmetric keys
18:23:26 <bdpayne> so is the key store creating the keys.. or just storing them?
18:23:40 <malini1> having a fast-pass for symmetric would better support a use model where there is say and HSM to back the key manager
18:23:53 <malini1> both models support, creating and storing
18:23:59 <bdpayne> ok
18:24:12 <malini1> because storing is supported, do not need to use the asynch path for symmetric keys
18:24:23 <mtesauro> I am a short walk away from Jarret - I can talk to him about this.
18:24:26 <bdpayne> personally, I like creating b/c I suspect that many users will make mistakes in trying to create keys
18:24:39 <bdpayne> mtesauro that would be great
18:25:35 <bdpayne> #action joel-coffman to aim for Havana-1 deadline for submission of volume encryption code
18:25:51 <joel-coffman> will do
18:26:03 <bdpayne> #action mtesauro to discuss symmetric keys use case with Jarret, sync back with malini1
18:26:16 <bdpayne> anything else to discuss?
18:26:58 <bdpayne> ok then… thanks everyone for attending
18:27:03 <bdpayne> I believe we are done for today
18:27:13 <malini1> the point of creation needs to have a good supply of entropy for random numbers, so if the keymanager client has an api call for create key, that would work, most service endpoints for key creation will be on host machines
18:27:31 <malini1> with the necessary entropy
18:28:07 <malini1> thanks everyone
18:28:16 <bdpayne> exactly… and then the key manager could get the entropy correctly
18:28:24 <bdpayne> whereas the clients may not use a proper rng
18:28:29 <bdpayne> which is a pretty common mistake
18:29:11 <bdpayne> #endmeeting