16:59:50 #startmeeting Security 16:59:51 Meeting started Thu Jan 19 16:59:50 2017 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:52 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:54 The meeting name has been set to 'security' 16:59:59 Ooops, 7 seconds early. 17:00:03 hey! 17:00:08 Hey lhinds ! 17:00:11 hi hyakuhei 17:00:26 Nice to see you! 17:00:39 happy new year (I was off for awhile) 17:00:42 Lets wait a moment or two for others to roll in 17:00:48 To you too :) 17:01:45 O/ 17:01:51 hi 17:01:52 o/ 17:01:58 o/ 17:02:01 o/ hey guys 17:02:05 o/ 17:02:11 As you know we're looking to run a tight, 30 minute meeting 17:02:16 o/ 17:02:24 sicarie too! sweet 17:02:32 o/ 17:02:46 #link https://etherpad.openstack.org/p/security-agenda security agenda for this week 17:03:03 Please feel free to add things to that and we'll try to fit everything in 17:03:09 hi tkelseym michaelxin 17:03:12 tkelsey 17:03:13 o/ 17:03:19 sorry im late 17:03:26 hyakuhei hi 17:03:28 Righto, moving swiftly to the first item 17:03:33 #topic PTL 17:03:55 The elections are this coming week, similar format as before I think (i.e Gerrit + ML announcement) 17:04:19 I will be standing for PTL after I secured time to spend on OpenStack PTL things from my mgmt 17:04:36 great! 17:04:38 cool 17:04:41 Thanks 17:04:54 I also encourage others to stand, new blood and all that :) 17:04:55 anyone else want to run? michaelxin lhinds sicarie sigmavirus? 17:04:56 o/ 17:05:04 omg redrobot hai! 17:05:09 Why do people keep volunteering me to run for PTL or TC? 17:05:10 Just talking PTL things 17:05:15 redrobot! fancy running or PTL 17:05:19 sigmavirus you seem to know all the things. 17:05:20 haha 17:05:29 i think on a later cycle maybe 17:05:35 hyakuhei: but I have none of the time ;) 17:05:43 happy hyakuhei is going forward for now 17:05:44 And I'm a master of illusion 17:05:55 capnoday nay... unless hyakuhei is retiring, then... maybe? 17:05:57 Ok, the PTL info isn't always the easiest to find, let me know if you're interested and I'll hook you up with the relevant stuff. 17:06:05 redrobot not this time around ;) 17:06:24 Any questions on PTL things before we move on? 17:06:37 (Other than capnoday trying to replace me with pretty much anyone...) 17:06:40 nope, good luck! 17:06:45 cheers 17:06:54 Right, next up is the PTG - not far away now 17:06:56 #topic PTG 17:07:10 #link https://etherpad.openstack.org/p/ptg-security-team 17:07:14 hyakuhei: I think capnoday wants healthy competition =P 17:07:16 I've got my fingers crossed that I'll get to go... 17:07:51 As we discussed at length previously, resources are tight and we don't have a huge number of people going. That doesn't mean others can't contribute remotely though. 17:08:24 Interesting topic just been added there re: Barbican/Vault 17:09:11 My expectation is that it may be easier to have a Barbican plugin for Vault, similar to the KMIP plugin that doesn't do anything clever with MKEK etc, just uses Vault as it's store. 17:09:11 yeah, my use case has changed from wanting to run a global hsm-backed barbican deployment to runnin many software-based small barbican deployments. 17:09:19 Hah 17:09:23 who knew that would happen.... 17:09:27 * hyakuhei hides. 17:09:40 so I did spend some time looking into the wiring 17:09:50 hahaha 17:09:53 the tricky part is mapping Keystone tokens to Vault tokens 17:10:01 I suspect the number of people who care about secrets greatly outnumbers those with HSMs 17:10:17 cant they just deploy dogtag? 17:10:20 redrobot: perhaps there's a need for vault to learn about keystone tokens? 17:10:29 capnoday: I've been informed that dogtag is quite difficult 17:10:39 I never got to that point of a PoC for my team though 17:10:41 sigmavirus I don't think they're accepting contributions for the AuthN magic at the moment 17:10:48 Might have changed though 17:10:49 sigmavirus that's one option... but I still think it may be easier to avoid Vault altogether 17:11:04 Anyway, lets push Vault to the back of the queue for a moment 17:11:11 Keeping in mind the meeting length 17:11:14 ie, take the Simple Crypto plugin and add an API call to provide the encryption key at runtime instead of having it in the conf file 17:11:20 So good to have on the PTG topic list 17:11:23 sssh redrobot 17:11:28 lol 17:11:29 * sigmavirus chuckles 17:11:34 #topic Naughty words 17:11:37 yeah, should be a fun discussion at the PTG 17:11:44 poop! 17:11:47 doodoo 17:11:49 This might be interesting to the Syntribos folks 17:11:50 #link https://github.com/minimaxir/big-list-of-naughty-strings 17:12:04 I made a note to bring that up, now I have 17:12:07 :) 17:12:20 unrahul michaelxin knangia ^^^ 17:12:34 Some potentially useful stuff there I'm sure 17:12:37 We saw it. Thakns. 17:12:42 (btw, I mostly came here today to remind hyakuhei to submit his PTL candidacy so we don't get yelled at by the TC again) 17:12:43 thanks ! 17:12:47 Figured as much 17:12:52 redrobot thanks bro! 17:12:59 #topic OSSN 17:13:01 redrobot: +1 17:13:09 lhinds welcome back from holiday, what's going on with OSSN ? 17:13:20 #link https://bugs.launchpad.net/ossn 17:13:28 So I see three in there. All private. 17:13:35 so we have two privates, with authors of hyakuhei and tmcpeak 17:13:42 yours is very close hyakuhei 17:14:01 you just need to look at comment #22 and we should be able to get that out 17:14:03 It's interesting that we have so many private these days, I think because we are being used as a catch-all for the VMT where a project isn't supported by them. 17:14:11 lhinds: if you need help, let me know. I see two on that list and have context on them 17:14:17 I will catch up with tmcpeak when I next see him online 17:14:46 sure sigmavirus , you could take the one to tmcpeak if you like? 17:15:13 Oh I wasn't volunteering to write one =P but if tmcpeak needs me to, I can take it over 17:15:29 I need to read how to do an OSSN on a private issue 17:16:06 I will try and catch him (he might be PTO), and see where he is. 17:16:35 and its likely to be public soon too. 17:17:01 Okay 17:17:01 I'll update that OSSN assigned to me in the 30 minutes I get back from this shorter meeting 17:17:09 Anything else lhinds ? 17:17:09 thats it for notes. the other thing is I am getting in touch with infra about hosting the OSSN web / api. 17:17:14 nice thanks hyakuhei 17:17:17 thats it for notes 17:17:22 Cool 17:17:25 Then we're onto AOB 17:17:33 #topic Any Other Business 17:17:48 Anything you want to bring up? Discuss Vault some more redrobot ? etc? 17:18:20 I'm sure y'all saw the huge Barbican thread on the ML 17:18:32 redrobot: you're welcome and I'm sorry 17:18:44 looks like the TC will be considering what the base "secrets vault" will be 17:18:50 Yeah that was interesting 17:19:02 so it looks like we will be going through the incubation ringer again 17:19:11 On the bright side, Glare is no longer publicly planning to be a secrets store 17:19:15 Though it did get somewhat clobbered by the whole "big tent bad" thing 17:19:32 hyakuhei: yeah, people on the ML do that to any thread they can 17:19:38 yeah, there were some valid concerns like keystone token scope not being narrow enough 17:19:42 always the same persons too 17:20:21 so, it sounds like we'll have to make the case that barbican is secure to the Arch Working Group 17:20:33 and they'll compare it to Vault and Keewhiz and whetever else 17:20:46 secure and useful? 17:20:57 I'm a little concerned because they could also kill Barbican altogether 17:20:57 For software only crypto, it isn't comparable today imho 17:21:04 hyakuhei +! 17:21:07 err +1 17:21:24 yeah, which is why I think that improving Simple Crypto plugin will be important 17:21:29 +1 17:21:50 sigmavirus also on barbican: i've submitted patches to get tags for stable-branch, standard-deprecation, and vmt-managed. all are still in review. thanks for bringing that up on the ML. 17:22:01 dave-mccowan: ++ 17:22:11 dave-mccowan good stuff 17:22:31 I was about to start a thread on the ML about why the project navigator is developed on GitHub 17:22:34 I think a Vault plugin would be valuable, but only to folks who already have vault 17:22:39 but decided two ranty threads a week was my limit 17:22:41 for someone with no existing KMS running both Vault AND Barbican seem like too much overhead 17:22:55 redrobot: agreed 17:23:16 So instead of using a well audited soft-hsm we're going to build one ourselves? 17:23:23 Certainly sounds like the OpenStack way... 17:23:30 lol 17:23:41 hyakuhei: absolutely 17:23:42 the alternative is to abandon Barbican altogheter. :( 17:23:59 and just build a Vault auth plugin for Keystone 17:24:03 I don't think anyone wants taht 17:24:05 *that 17:24:42 I also explored using SoftHSM with our existing PKCS#11 plugin https://www.opendnssec.org/softhsm/ 17:25:00 but it's not scalable 17:25:18 or at least it wasn't ovious to me how we could scale it. 17:25:50 mhayden: have you ever seen softhsm? 17:26:03 Interesting. This certainly sounds like a good thing to spend time on at the PTG 17:26:08 * sigmavirus wonders if mhayden knows someone or has cycles 17:26:59 yup... also thinking that a Vault vs Barbican prezo in Boston would be a good thing to hvae 17:27:04 *have 17:27:15 It does kinda look like it might be less work to extend Vault's AppRole scheme than build a new SoftHSM. However, I'm happy to be involved in either . 17:28:00 I am very against building a new softhsm unless absolutely necessary. I would even consider posting on the mailing list to say so! 17:28:02 ok, last couple of minutes. 17:28:56 Useful meeting all, it seems like we can wrap it here :) thanks! 17:29:11 capnoday so you're arguing for asking operators to run 2 services to run barbican. :-\ 17:29:34 kk, see y'all next time friends! 17:29:46 redrobot lets talk more on this next time/offline 17:30:00 #endmeeting