Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-09 Thread Steven Dake (stdake) 
Daviey,

I pointed this out to Pavo as well a few weeks ago.  I’m not sure if it 
mattered or not.

Regards
-steve


From: Dave Walker <em...@daviey.com<mailto:em...@daviey.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, November 8, 2016 at 2:01 PM
To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs 
cryptography

Hey Steve,

All of the credential generation is optional right?  I mean, as far as kolla is 
concerned - it doesn't *need* to generate the passwords... If 
/etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla isn't 
creating any credentials itself and the algorithm, entropy and policy is 
transparent to kolla.

On 8 November 2016 at 21:50, Steven Dake (stdake) 
<std...@cisco.com<mailto:std...@cisco.com>> wrote:
Ok,

Pavo has told me he has exceptions in place for everything related to Kolla.  
He says as long as we don’t use MD5, he is good to go for a 232 node deploy 
with more to follow (assuming Kolla works out of the box at that scale - we 
have only tested 123 node scale).

We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos to 
generate passwords, and we also generate some ssh public/private keys.

Hope the security context helps.

Thanks everyone on his thread for providing guidance.  RobC++ on article.

Regards
-steve




On 11/8/16, 1:46 PM, "Clint Byrum" <cl...@fewbar.com<mailto:cl...@fewbar.com>> 
wrote:

>Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
>> Can I ask why FIPS compliance is a requirement for Kolla? This seems
>> like an odd request for a deployment project.
>>
>
>Guessing it's for the modules that need to communicate securely with
>OpenStack itself.
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: 
>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-08 Thread Dave Walker 
Hey Steve,

All of the credential generation is optional right?  I mean, as far as
kolla is concerned - it doesn't *need* to generate the passwords... If
/etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla
isn't creating any credentials itself and the algorithm, entropy and policy
is transparent to kolla.

On 8 November 2016 at 21:50, Steven Dake (stdake)  wrote:

> Ok,
>
> Pavo has told me he has exceptions in place for everything related to
> Kolla.  He says as long as we don’t use MD5, he is good to go for a 232
> node deploy with more to follow (assuming Kolla works out of the box at
> that scale - we have only tested 123 node scale).
>
> We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos
> to generate passwords, and we also generate some ssh public/private keys.
>
> Hope the security context helps.
>
> Thanks everyone on his thread for providing guidance.  RobC++ on article.
>
> Regards
> -steve
>
>
>
>
> On 11/8/16, 1:46 PM, "Clint Byrum"  wrote:
>
> >Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
> >> Can I ask why FIPS compliance is a requirement for Kolla? This seems
> >> like an odd request for a deployment project.
> >>
> >
> >Guessing it's for the modules that need to communicate securely with
> >OpenStack itself.
> >
> >___
> ___
> >OpenStack Development Mailing List (not for usage questions)
> >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
> unsubscribe
> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-08 Thread Steven Dake (stdake) 
Ok,

Pavo has told me he has exceptions in place for everything related to Kolla.  
He says as long as we don’t use MD5, he is good to go for a 232 node deploy 
with more to follow (assuming Kolla works out of the box at that scale - we 
have only tested 123 node scale).

We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos to 
generate passwords, and we also generate some ssh public/private keys.

Hope the security context helps.

Thanks everyone on his thread for providing guidance.  RobC++ on article.

Regards
-steve




On 11/8/16, 1:46 PM, "Clint Byrum"  wrote:

>Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
>> Can I ask why FIPS compliance is a requirement for Kolla? This seems
>> like an odd request for a deployment project.
>> 
>
>Guessing it's for the modules that need to communicate securely with
>OpenStack itself.
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-08 Thread Clint Byrum 
Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
> Can I ask why FIPS compliance is a requirement for Kolla? This seems
> like an odd request for a deployment project.
> 

Guessing it's for the modules that need to communicate securely with
OpenStack itself.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-08 Thread Ian Cordasco 
-Original Message-
From: Rob C <hyaku...@gmail.com>
Reply: OpenStack Development Mailing List (not for usage questions)
<openstack-dev@lists.openstack.org>
Date: November 7, 2016 at 07:39:57
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev@lists.openstack.org>
Subject:  Re: [openstack-dev] [requirements][kolla][security] pycrypto
vs cryptography

> Good question, I know issues around this have arisen before.
>
> I think the main points have been covered well already, for my part I will
> always lean toward the better supported or actively developed project.

At this point PyCrypto actively tells users that it's not supported or
developed. They've been pushing people towards Cryptogrpahy.

> I understand the desire to look for FIPS 140-2 compliance, however I'd
> caution about this being the only deciding factor, it makes software
> development messy as only specific implementations can be validated. If you
> want to update code to make improvements etc you can need a whole
> re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know
> of software projects that have used known-bad implementations that had
> certification rather use an updated version with no issues - (like I said,
> it gets messy).
>
> The OpenSSL guys wrote a good article on FIPS validation, how they tackled
> it and some of the impact etc [1]
>
> -Rob
>
> [1] https://www.openssl.org/docs/fipsnotes.html

I would strongly suggest you read Rob's link. It's very enlightening
to know why, while FIPS may be a requirement, it's not necessarily
beneficial from a security standpoint. It's also ridiculously
expensive and restrictive.

I've CC'd one of the lead developers from the Cryptography project to
comment on this. I would hazard a guess that one could compile
Cryptography against a version of OpenSSL that is FIPS compliant, but
I doubt it'll be considered supported. I know Cryptography recently
dropped support for a few older versions of OpenSSL, and to work with
that you'd have to stick to an older version of Cryptography.

Can I ask why FIPS compliance is a requirement for Kolla? This seems
like an odd request for a deployment project.

> On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley wrote:
>
> > On 2016-11-06 14:59:03 + (+), Jeremy Stanley wrote:
> > > On 2016-11-06 08:05:51 + (+), Steven Dake (stdake) wrote:
> > [...]
> > > > An orthogonal question I have received from one of our community
> > > > members (Pavo on irc) is whether pycrypto (or if we move to
> > > > cryptography) provide FIPS-140-2 compliance.
> > >
> > > My understanding is that if you need, for example, a FIPS-compliant
> > > AES implementation under the hood, then this is dependent more on
> > > what backend libraries you're using... e.g.,
> > > https://www.openssl.org/docs/fips.html
> > > https://www.openssl.org/docs/fipsvalidation.html

--
Ian Cordasco

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-08 Thread Gardiner Michael 
Hey Guys,

If FIPS 140-2 compliance is important you might want to look at something
like a PKCS#11 wrapper and let your PKCS#11 complaint module be the deciding
factor in meeting that compliance level.  There are wrappers for most
languages.  (We have our own python p11 implementation tailored to our Luna
HSMs here https://github.com/gemalto/pycryptoki but you should be able to
use a more generic project if you choose)  

There are other commonly used APIs such as OpenSSL, Java JCA/JCE and MS
CAPI/CNG but given that we're talking about python on linux a PKCS #11
approach is probably best.

Beyond just "140-2" there are different levels.  Pure software
implementations are limited to level 1. Level 2, 3, and 4 require hardware
and have more strict requirements as you go up the chain.  Someone asking
for FIPS 140-2 compliance will also generally have a minimum level that they
require.

I do work for a vendor of hardware security modules and so I have biases
towards our solutions but without getting into any of that I do believe if
you want to take FIPS into consideration you should stick to a broadly
adopted crypto API that allows you to switch out the back end module.  

Cheers,

Mike Gardiner
Systems Security Architect
Gemalto

-Original Message-
From: Jeremy Stanley [mailto:fu...@yuggoth.org] 
Sent: November-06-16 11:44 AM
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs
cryptography

On 2016-11-06 14:59:03 + (+), Jeremy Stanley wrote:
> On 2016-11-06 08:05:51 + (+), Steven Dake (stdake) wrote:
[...]
> > An orthogonal question I have received from one of our community 
> > members (Pavo on irc) is whether pycrypto (or if we move to
> > cryptography) provide FIPS-140-2 compliance.
> 
> My understanding is that if you need, for example, a FIPS-compliant 
> AES implementation under the hood, then this is dependent more on what 
> backend libraries you're using... e.g., 
> https://www.openssl.org/docs/fips.html
> https://www.openssl.org/docs/fipsvalidation.html

I should clarify, I was referring specifically to pyca/cryptography's
OpenSSL backend. In contrast the pycrypto maintainers seem to have copied
and forked a variety of algorithms (some of which seem to be based NIST/FIPS
reference implementations for C or backports from bits of Py3K stdlib but
have undergone subsequent modification), so very likely have not been put
through any sort of direct compliance validation:
https://github.com/dlitz/pycrypto/blob/master/src/AES.c
https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c
et cetera...
--
Jeremy Stanley

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


smime.p7s
Description: S/MIME cryptographic signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-07 Thread Rob C 
Good question, I know issues around this have arisen before.

I think the main points have been covered well already, for my part I will
always lean toward the better supported or actively developed project.

I understand the desire to look for FIPS 140-2 compliance, however I'd
caution about this being the only deciding factor, it makes software
development messy as only specific implementations can be validated. If you
want to update code to make improvements etc you can need a whole
re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know
of software projects that have used known-bad implementations that had
certification rather use an updated version with no issues - (like I said,
it gets messy).

The OpenSSL guys wrote a good article on FIPS validation, how they tackled
it and some of the impact etc [1]

-Rob

[1] https://www.openssl.org/docs/fipsnotes.html

On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley  wrote:

> On 2016-11-06 14:59:03 + (+), Jeremy Stanley wrote:
> > On 2016-11-06 08:05:51 + (+), Steven Dake (stdake) wrote:
> [...]
> > > An orthogonal question I have received from one of our community
> > > members (Pavo on irc) is whether pycrypto (or if we move to
> > > cryptography) provide FIPS-140-2 compliance.
> >
> > My understanding is that if you need, for example, a FIPS-compliant
> > AES implementation under the hood, then this is dependent more on
> > what backend libraries you're using... e.g.,
> > https://www.openssl.org/docs/fips.html
> > https://www.openssl.org/docs/fipsvalidation.html
>
> I should clarify, I was referring specifically to
> pyca/cryptography's OpenSSL backend. In contrast the pycrypto
> maintainers seem to have copied and forked a variety of algorithms
> (some of which seem to be based NIST/FIPS reference implementations
> for C or backports from bits of Py3K stdlib but have undergone
> subsequent modification), so very likely have not been put through
> any sort of direct compliance validation:
> https://github.com/dlitz/pycrypto/blob/master/src/AES.c
> https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c
> et cetera...
> --
> Jeremy Stanley
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-06 Thread Jeremy Stanley 
On 2016-11-06 14:59:03 + (+), Jeremy Stanley wrote:
> On 2016-11-06 08:05:51 + (+), Steven Dake (stdake) wrote:
[...]
> > An orthogonal question I have received from one of our community
> > members (Pavo on irc) is whether pycrypto (or if we move to
> > cryptography) provide FIPS-140-2 compliance.
> 
> My understanding is that if you need, for example, a FIPS-compliant
> AES implementation under the hood, then this is dependent more on
> what backend libraries you're using... e.g.,
> https://www.openssl.org/docs/fips.html
> https://www.openssl.org/docs/fipsvalidation.html

I should clarify, I was referring specifically to
pyca/cryptography's OpenSSL backend. In contrast the pycrypto
maintainers seem to have copied and forked a variety of algorithms
(some of which seem to be based NIST/FIPS reference implementations
for C or backports from bits of Py3K stdlib but have undergone
subsequent modification), so very likely have not been put through
any sort of direct compliance validation:
https://github.com/dlitz/pycrypto/blob/master/src/AES.c
https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c
et cetera...
-- 
Jeremy Stanley

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-06 Thread Steven Dake (stdake) 
Dims,

Right I think I have heard pycrypto was dead, which sort of prompted the 
question.  Thanks for the response!

Regards,
-steve

From: Davanum Srinivas <dava...@gmail.com>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org>
Date: Sunday, November 6, 2016 at 7:39 AM
To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs 
cryptography

Steve,

pycrypto is almost dead. The replacement is pycryptodome. BUT both
cannot be installed at the same time, so there is a struggle to get
all projects to work correctly with pycryptodome, Last i checked the
status was this:
http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt#n188

cryptography has been there in requirements since 2014:
https://review.openstack.org/#/c/93794/

So, i'd support projects wanting to use cryptography directly.

fwiw, i don't see a claim to support FIPS-140-2 in cryptography:
https://cryptography.io/en/latest/development/test-vectors/
https://github.com/pyca/cryptography/tree/master/vectors/cryptography_vectors/asymmetric/ECDSA

Thanks,
Dims



On Sun, Nov 6, 2016 at 3:05 AM, Steven Dake (stdake) 
<std...@cisco.com<mailto:std...@cisco.com>> wrote:
Requirements team,



Currently Kolla uses pycrypto in our requirements.  I see a lot of big tent
projects moving to cryptography.  Is this just my imagination, or was there
a decision on this from the requirements team?  We are happy to comply with
whatever dep management is considered appropriate for OpenStack ESPECIALLY
as it relates to security and crypto libraries.



I’d just like confirmation if we should move off pycrypto to cryptography,
or if these two things offer similar functionality, or if I’m way off base
here J.



An orthogonal question I have received from one of our community members
(Pavo on irc) is whether pycrypto (or if we move to cryptography) provide
FIPS-140-2 compliance.



Regards

-steve




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Davanum Srinivas :: https://twitter.com/dims

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-06 Thread Jeremy Stanley 
On 2016-11-06 08:05:51 + (+), Steven Dake (stdake) wrote:
> Currently Kolla uses pycrypto in our requirements.  I see a lot of
> big tent projects moving to cryptography.  Is this just my
> imagination, or was there a decision on this from the requirements
> team?  We are happy to comply with whatever dep management is
> considered appropriate for OpenStack ESPECIALLY as it relates to
> security and crypto libraries.

The only "decision" I'm aware of from the requirements reviewers
(long before it was an official team) was ~2.5 years ago when
cryptography was introduced into global requirements by developers
wishing to use it in Barbican: https://review.openstack.org/93794

Keystone seems to have added it into their own requirements soon
thereafter, a little over 2 years ago, for access to fernet
primitives to use in their lightweight token implementation:
https://review.openstack.org/145317

Nova introduced it roughly 1.5 years ago to replace some hacky
callouts to the openssl command-line utility in a number of
functions: https://review.openstack.org/198246

I'm sure I could find more examples, but this demonstrates there's
been a gradual uptake in the library in key parts of OpenStack over
the course of years. Is there a particular recent addition of it in
some project which took you by surprise?

> I’d just like confirmation if we should move off pycrypto to
> cryptography, or if these two things offer similar functionality,
> or if I’m way off base here ☺.

They both seem to be pretty solid and widely used, even though
cryptography has much more recent origins and so is still seeing a
lot more active development. This LWN article, ironically, describes
the events leading to its origins and covering reasons why it's
somewhat aligned with OpenStack-specific use cases:
https://lwn.net/Articles/595790/

> An orthogonal question I have received from one of our community
> members (Pavo on irc) is whether pycrypto (or if we move to
> cryptography) provide FIPS-140-2 compliance.

My understanding is that if you need, for example, a FIPS-compliant
AES implementation under the hood, then this is dependent more on
what backend libraries you're using... e.g.,
https://www.openssl.org/docs/fips.html
https://www.openssl.org/docs/fipsvalidation.html
-- 
Jeremy Stanley


signature.asc
Description: Digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-06 Thread Davanum Srinivas 
Steve,

pycrypto is almost dead. The replacement is pycryptodome. BUT both
cannot be installed at the same time, so there is a struggle to get
all projects to work correctly with pycryptodome, Last i checked the
status was this:
http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt#n188

cryptography has been there in requirements since 2014:
https://review.openstack.org/#/c/93794/

So, i'd support projects wanting to use cryptography directly.

fwiw, i don't see a claim to support FIPS-140-2 in cryptography:
https://cryptography.io/en/latest/development/test-vectors/
https://github.com/pyca/cryptography/tree/master/vectors/cryptography_vectors/asymmetric/ECDSA

Thanks,
Dims



On Sun, Nov 6, 2016 at 3:05 AM, Steven Dake (stdake)  wrote:
> Requirements team,
>
>
>
> Currently Kolla uses pycrypto in our requirements.  I see a lot of big tent
> projects moving to cryptography.  Is this just my imagination, or was there
> a decision on this from the requirements team?  We are happy to comply with
> whatever dep management is considered appropriate for OpenStack ESPECIALLY
> as it relates to security and crypto libraries.
>
>
>
> I’d just like confirmation if we should move off pycrypto to cryptography,
> or if these two things offer similar functionality, or if I’m way off base
> here J.
>
>
>
> An orthogonal question I have received from one of our community members
> (Pavo on irc) is whether pycrypto (or if we move to cryptography) provide
> FIPS-140-2 compliance.
>
>
>
> Regards
>
> -steve
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Davanum Srinivas :: https://twitter.com/dims

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

2016-11-06 Thread Steven Dake (stdake) 
Requirements team,

Currently Kolla uses pycrypto in our requirements.  I see a lot of big tent 
projects moving to cryptography.  Is this just my imagination, or was there a 
decision on this from the requirements team?  We are happy to comply with 
whatever dep management is considered appropriate for OpenStack ESPECIALLY as 
it relates to security and crypto libraries.

I’d just like confirmation if we should move off pycrypto to cryptography, or 
if these two things offer similar functionality, or if I’m way off base here ☺.

An orthogonal question I have received from one of our community members (Pavo 
on irc) is whether pycrypto (or if we move to cryptography) provide FIPS-140-2 
compliance.

Regards
-steve

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev