16:59:50 <hyakuhei> #startmeeting Security 16:59:51 <openstack> Meeting started Thu Jan 19 16:59:50 2017 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:54 <openstack> The meeting name has been set to 'security' 16:59:59 <hyakuhei> Ooops, 7 seconds early. 17:00:03 <lhinds> hey! 17:00:08 <hyakuhei> Hey lhinds ! 17:00:11 <lhinds> hi hyakuhei 17:00:26 <hyakuhei> Nice to see you! 17:00:39 <lhinds> happy new year (I was off for awhile) 17:00:42 <hyakuhei> Lets wait a moment or two for others to roll in 17:00:48 <hyakuhei> To you too :) 17:01:45 <knangia> O/ 17:01:51 <rarora> hi 17:01:52 <capnoday> o/ 17:01:58 <lhinds> o/ 17:02:01 <hyakuhei> o/ hey guys 17:02:05 <sigmavirus> o/ 17:02:11 <hyakuhei> As you know we're looking to run a tight, 30 minute meeting 17:02:16 <sicarie> o/ 17:02:24 <hyakuhei> sicarie too! sweet 17:02:32 <michaelxin> o/ 17:02:46 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda security agenda for this week 17:03:03 <hyakuhei> Please feel free to add things to that and we'll try to fit everything in 17:03:09 <hyakuhei> hi tkelseym michaelxin 17:03:12 <hyakuhei> tkelsey 17:03:13 <tkelsey> o/ 17:03:19 <tkelsey> sorry im late 17:03:26 <michaelxin> hyakuhei hi 17:03:28 <hyakuhei> Righto, moving swiftly to the first item 17:03:33 <hyakuhei> #topic PTL 17:03:55 <hyakuhei> The elections are this coming week, similar format as before I think (i.e Gerrit + ML announcement) 17:04:19 <hyakuhei> I will be standing for PTL after I secured time to spend on OpenStack PTL things from my mgmt 17:04:36 <capnoday> great! 17:04:38 <michaelxin> cool 17:04:41 <michaelxin> Thanks 17:04:54 <hyakuhei> I also encourage others to stand, new blood and all that :) 17:04:55 <capnoday> anyone else want to run? michaelxin lhinds sicarie sigmavirus? 17:04:56 <redrobot> o/ 17:05:04 <hyakuhei> omg redrobot hai! 17:05:09 <sigmavirus> Why do people keep volunteering me to run for PTL or TC? 17:05:10 <hyakuhei> Just talking PTL things 17:05:15 <capnoday> redrobot! fancy running or PTL 17:05:19 <hyakuhei> sigmavirus you seem to know all the things. 17:05:20 <michaelxin> haha 17:05:29 <lhinds> i think on a later cycle maybe 17:05:35 <sigmavirus> hyakuhei: but I have none of the time ;) 17:05:43 <lhinds> happy hyakuhei is going forward for now 17:05:44 <sigmavirus> And I'm a master of illusion 17:05:55 <redrobot> capnoday nay... unless hyakuhei is retiring, then... maybe? 17:05:57 <hyakuhei> Ok, the PTL info isn't always the easiest to find, let me know if you're interested and I'll hook you up with the relevant stuff. 17:06:05 <hyakuhei> redrobot not this time around ;) 17:06:24 <hyakuhei> Any questions on PTL things before we move on? 17:06:37 <hyakuhei> (Other than capnoday trying to replace me with pretty much anyone...) 17:06:40 <sicarie> nope, good luck! 17:06:45 <hyakuhei> cheers 17:06:54 <hyakuhei> Right, next up is the PTG - not far away now 17:06:56 <hyakuhei> #topic PTG 17:07:10 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team 17:07:14 <sigmavirus> hyakuhei: I think capnoday wants healthy competition =P 17:07:16 <redrobot> I've got my fingers crossed that I'll get to go... 17:07:51 <hyakuhei> As we discussed at length previously, resources are tight and we don't have a huge number of people going. That doesn't mean others can't contribute remotely though. 17:08:24 <hyakuhei> Interesting topic just been added there re: Barbican/Vault 17:09:11 <hyakuhei> My expectation is that it may be easier to have a Barbican plugin for Vault, similar to the KMIP plugin that doesn't do anything clever with MKEK etc, just uses Vault as it's store. 17:09:11 <redrobot> yeah, my use case has changed from wanting to run a global hsm-backed barbican deployment to runnin many software-based small barbican deployments. 17:09:19 <hyakuhei> Hah 17:09:23 <hyakuhei> who knew that would happen.... 17:09:27 * hyakuhei hides. 17:09:40 <redrobot> so I did spend some time looking into the wiring 17:09:50 <capnoday> hahaha 17:09:53 <redrobot> the tricky part is mapping Keystone tokens to Vault tokens 17:10:01 <hyakuhei> I suspect the number of people who care about secrets greatly outnumbers those with HSMs 17:10:17 <capnoday> cant they just deploy dogtag? 17:10:20 <sigmavirus> redrobot: perhaps there's a need for vault to learn about keystone tokens? 17:10:29 <sigmavirus> capnoday: I've been informed that dogtag is quite difficult 17:10:39 <sigmavirus> I never got to that point of a PoC for my team though 17:10:41 <hyakuhei> sigmavirus I don't think they're accepting contributions for the AuthN magic at the moment 17:10:48 <hyakuhei> Might have changed though 17:10:49 <redrobot> sigmavirus that's one option... but I still think it may be easier to avoid Vault altogether 17:11:04 <hyakuhei> Anyway, lets push Vault to the back of the queue for a moment 17:11:11 <hyakuhei> Keeping in mind the meeting length 17:11:14 <redrobot> ie, take the Simple Crypto plugin and add an API call to provide the encryption key at runtime instead of having it in the conf file 17:11:20 <hyakuhei> So good to have on the PTG topic list 17:11:23 <hyakuhei> sssh redrobot 17:11:28 <redrobot> lol 17:11:29 * sigmavirus chuckles 17:11:34 <hyakuhei> #topic Naughty words 17:11:37 <redrobot> yeah, should be a fun discussion at the PTG 17:11:44 <redrobot> poop! 17:11:47 <redrobot> doodoo 17:11:49 <hyakuhei> This might be interesting to the Syntribos folks 17:11:50 <hyakuhei> #link https://github.com/minimaxir/big-list-of-naughty-strings 17:12:04 <hyakuhei> I made a note to bring that up, now I have 17:12:07 <hyakuhei> :) 17:12:20 <hyakuhei> unrahul michaelxin knangia ^^^ 17:12:34 <hyakuhei> Some potentially useful stuff there I'm sure 17:12:37 <michaelxin> We saw it. Thakns. 17:12:42 <redrobot> (btw, I mostly came here today to remind hyakuhei to submit his PTL candidacy so we don't get yelled at by the TC again) 17:12:43 <knangia> thanks ! 17:12:47 <hyakuhei> Figured as much 17:12:52 <hyakuhei> redrobot thanks bro! 17:12:59 <hyakuhei> #topic OSSN 17:13:01 <michaelxin> redrobot: +1 17:13:09 <hyakuhei> lhinds welcome back from holiday, what's going on with OSSN ? 17:13:20 <hyakuhei> #link https://bugs.launchpad.net/ossn 17:13:28 <hyakuhei> So I see three in there. All private. 17:13:35 <lhinds> so we have two privates, with authors of hyakuhei and tmcpeak 17:13:42 <lhinds> yours is very close hyakuhei 17:14:01 <lhinds> you just need to look at comment #22 and we should be able to get that out 17:14:03 <hyakuhei> It's interesting that we have so many private these days, I think because we are being used as a catch-all for the VMT where a project isn't supported by them. 17:14:11 <sigmavirus> lhinds: if you need help, let me know. I see two on that list and have context on them 17:14:17 <lhinds> I will catch up with tmcpeak when I next see him online 17:14:46 <lhinds> sure sigmavirus , you could take the one to tmcpeak if you like? 17:15:13 <sigmavirus> Oh I wasn't volunteering to write one =P but if tmcpeak needs me to, I can take it over 17:15:29 <sigmavirus> I need to read how to do an OSSN on a private issue 17:16:06 <lhinds> I will try and catch him (he might be PTO), and see where he is. 17:16:35 <lhinds> and its likely to be public soon too. 17:17:01 <sigmavirus> Okay 17:17:01 <hyakuhei> I'll update that OSSN assigned to me in the 30 minutes I get back from this shorter meeting 17:17:09 <hyakuhei> Anything else lhinds ? 17:17:09 <lhinds> thats it for notes. the other thing is I am getting in touch with infra about hosting the OSSN web / api. 17:17:14 <lhinds> nice thanks hyakuhei 17:17:17 <lhinds> thats it for notes 17:17:22 <hyakuhei> Cool 17:17:25 <hyakuhei> Then we're onto AOB 17:17:33 <hyakuhei> #topic Any Other Business 17:17:48 <hyakuhei> Anything you want to bring up? Discuss Vault some more redrobot ? etc? 17:18:20 <redrobot> I'm sure y'all saw the huge Barbican thread on the ML 17:18:32 <sigmavirus> redrobot: you're welcome and I'm sorry 17:18:44 <redrobot> looks like the TC will be considering what the base "secrets vault" will be 17:18:50 <hyakuhei> Yeah that was interesting 17:19:02 <redrobot> so it looks like we will be going through the incubation ringer again 17:19:11 <sigmavirus> On the bright side, Glare is no longer publicly planning to be a secrets store 17:19:15 <hyakuhei> Though it did get somewhat clobbered by the whole "big tent bad" thing 17:19:32 <sigmavirus> hyakuhei: yeah, people on the ML do that to any thread they can 17:19:38 <redrobot> yeah, there were some valid concerns like keystone token scope not being narrow enough 17:19:42 <sigmavirus> always the same persons too 17:20:21 <redrobot> so, it sounds like we'll have to make the case that barbican is secure to the Arch Working Group 17:20:33 <redrobot> and they'll compare it to Vault and Keewhiz and whetever else 17:20:46 <capnoday> secure and useful? 17:20:57 <redrobot> I'm a little concerned because they could also kill Barbican altogether 17:20:57 <hyakuhei> For software only crypto, it isn't comparable today imho 17:21:04 <redrobot> hyakuhei +! 17:21:07 <redrobot> err +1 17:21:24 <redrobot> yeah, which is why I think that improving Simple Crypto plugin will be important 17:21:29 <hyakuhei> +1 17:21:50 <dave-mccowan> sigmavirus also on barbican: i've submitted patches to get tags for stable-branch, standard-deprecation, and vmt-managed. all are still in review. thanks for bringing that up on the ML. 17:22:01 <sigmavirus> dave-mccowan: ++ 17:22:11 <hyakuhei> dave-mccowan good stuff 17:22:31 <sigmavirus> I was about to start a thread on the ML about why the project navigator is developed on GitHub 17:22:34 <redrobot> I think a Vault plugin would be valuable, but only to folks who already have vault 17:22:39 <sigmavirus> but decided two ranty threads a week was my limit 17:22:41 <redrobot> for someone with no existing KMS running both Vault AND Barbican seem like too much overhead 17:22:55 <sigmavirus> redrobot: agreed 17:23:16 <hyakuhei> So instead of using a well audited soft-hsm we're going to build one ourselves? 17:23:23 <hyakuhei> Certainly sounds like the OpenStack way... 17:23:30 <redrobot> lol 17:23:41 <sigmavirus> hyakuhei: absolutely 17:23:42 <redrobot> the alternative is to abandon Barbican altogheter. :( 17:23:59 <redrobot> and just build a Vault auth plugin for Keystone 17:24:03 <hyakuhei> I don't think anyone wants taht 17:24:05 <hyakuhei> *that 17:24:42 <redrobot> I also explored using SoftHSM with our existing PKCS#11 plugin https://www.opendnssec.org/softhsm/ 17:25:00 <redrobot> but it's not scalable 17:25:18 <redrobot> or at least it wasn't ovious to me how we could scale it. 17:25:50 <sigmavirus> mhayden: have you ever seen softhsm? 17:26:03 <hyakuhei> Interesting. This certainly sounds like a good thing to spend time on at the PTG 17:26:08 * sigmavirus wonders if mhayden knows someone or has cycles 17:26:59 <redrobot> yup... also thinking that a Vault vs Barbican prezo in Boston would be a good thing to hvae 17:27:04 <redrobot> *have 17:27:15 <hyakuhei> It does kinda look like it might be less work to extend Vault's AppRole scheme than build a new SoftHSM. However, I'm happy to be involved in either . 17:28:00 <capnoday> I am very against building a new softhsm unless absolutely necessary. I would even consider posting on the mailing list to say so! 17:28:02 <hyakuhei> ok, last couple of minutes. 17:28:56 <hyakuhei> Useful meeting all, it seems like we can wrap it here :) thanks! 17:29:11 <redrobot> capnoday so you're arguing for asking operators to run 2 services to run barbican. :-\ 17:29:34 <redrobot> kk, see y'all next time friends! 17:29:46 <capnoday> redrobot lets talk more on this next time/offline 17:30:00 <hyakuhei> #endmeeting