Re: [openstack-dev] [kolla][tc] [security] threat analysis, tags, and the road ahead

2016-04-12 Thread Clark, Robert Graham
On 12/04/2016 18:37, "Jeremy Stanley" wrote: >On 2016-04-01 15:50:57 + (+), Hayes, Graham wrote: >> If a team has already done a TA (e.g. as part of an internal >> product TA) (and produced all the documentation) would this meet >> the requirements? >> >> I ask, as

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Clark, Robert Graham
Thanks Matt, Michael, To start with, lets look quickly at the more recent OSSNs that are marked as work in progress, namely 63,64,65 and 66 – these should all be published within a week or so. Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% sure what the blockers

[openstack-dev] [Security][Keystone] OSSN-0064 Draft. Request for review

2016-04-11 Thread Clark, Robert Graham
Hi Guys, OSSN-0064 is in review and requires some Keystone love. https://review.openstack.org/#/c/300091/ In relation to: https://bugs.launchpad.net/ossn/+bug/1545789 Cheers -Rob __ OpenStack Development Mailing List (not

[openstack-dev] [Security] Standing agenda for security IRC meetings

2016-04-08 Thread Clark, Robert Graham
Hi all, As per yesterday’s meeting[1], it seems more sensible to create a standing agenda rather than using a new ether pad for each meeting. The standing agenda is available here: https://etherpad.openstack.org/p/security-agenda Please bookmark this and add topics you’d like to discuss

[openstack-dev] [Security][Barbican] BYOK

2016-04-06 Thread Clark, Robert Graham
Hi All, We’ve had lots of discussion about BYOK and most of it has lead to “lets discuss it at the summit”. I’ve got some time for this in the security schedule, I’m checking – is there some other place where this is already tabled to be discussed? -Rob

Re: [openstack-dev] [kolla][tc] [security] threat analysis, tags, and the road ahead

2016-04-01 Thread Clark, Robert Graham
Thanks Steve, Mike, We’ve had a lot more traction with this latest incarnation of TA. I’m very much looking forward to working through the process with the wider community. -Rob On 31/03/2016 20:44, "Steven Dake (stdake)" wrote: >Including tc and kolla > >Michael, >

[openstack-dev] [Security] Newton Design Summit Etherpad

2016-03-23 Thread Clark, Robert Graham
Hi Guys, Please take a few minutes to add ideas to https://etherpad.openstack.org/p/security-newton-summit-brainstorm These don’t have to be things you want to lead, just things you think would be valuable -Rob __

Re: [openstack-dev] [magnum] High Availability

2016-03-20 Thread Clark, Robert Graham
At the risk of muddying the waters further, I recently chatted with some of you about Anchor, it's an ephemeral PKI system setup to provide private community PKI - certificate services for internal systems, a lot like k8 pods. An overview of why revocation doesn't work very well in many cases

Re: [openstack-dev] [magnum] High Availability

2016-03-19 Thread Clark, Robert Graham
I thought that a big part of the use case with Magnum + Barbican was Certificate management for Bays? -Rob From: "Dave McCowan (dmccowan)" Reply-To: OpenStack List Date: Saturday, 19 March 2016 14:56 To: OpenStack List Subject: Re: [openstack-dev] [magnum] High Availability The most basic

[openstack-dev] [Security] PTL Candidacy

2016-03-14 Thread Clark, Robert Graham
I'm announcing my candidacy for PTL of the Security project during the Newton release cycle. As one of the founders of the Security project I believe I have a strong base from which to continue developing and enhancing security within OpenStack. The security project has taken great strides

[openstack-dev] [Security] IRC Meeting Agenda

2016-02-25 Thread Clark, Robert Graham
https://etherpad.openstack.org/p/security-20160225-agenda Cheers -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Re: [openstack-dev] [all] A proposal to separate the design summit

2016-02-25 Thread Clark, Robert Graham
+1 For security too, this exactly mirrors our experience. From: Duncan Thomas [mailto:duncan.tho...@gmail.com] Sent: 24 February 2016 12:55 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] A proposal to separate the design summit On 22

Re: [openstack-dev] [magnum] Nesting /containers resource under /bays

2016-01-19 Thread Clark, Robert Graham
+1 Doing this, and doing this well, provides critical functionality to OpenStack while keeping said functionality reasonably decoupled from the COE API vagaries that would inevitably encumber a solution that sought to provide ‘one api to control them all’. -Rob From: Mike Metral Reply-To:

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

2016-01-13 Thread Clark, Robert Graham
I’m pretty new to openstack-ansible-security but based on my use cases which are as much About using this for verification as they are for building secure boxes my preference would be 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run -Rob On

[openstack-dev] [Security] Cancelling the weekly IRC meeting for thanks giving

2015-11-25 Thread Clark, Robert Graham
Hi all, As the vast majority of the Security Project members are US based we are cancelling the IRC meeting tomorrow. I’ll send out an ether pad agenda early next week and we can catch up then! Kind Regards -Rob __

Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

2015-11-09 Thread Clark, Robert Graham
> -Original Message- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: 02 November 2015 20:54 > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [openstack-ansible][security] Creating a CA for > openstack-ansible deployments? > > On 10/26/2015 02:38 PM, Major

Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

2015-10-29 Thread Clark, Robert Graham
On 29/10/2015 21:43, "Major Hayden" wrote: >On 10/29/2015 04:33 AM, McPeak, Travis wrote: >> The only potential security drawback is that we are introducing a new >> asset to protect. If we create the tools that enable a deployer to >> easily create and administer a

[openstack-dev] [Security] Meetup / Lunch

2015-10-26 Thread Clark, Robert Graham
We have two fishbowls sessions on Thursday with lunch in the middle. I know there are security talks going on around the same times, this was unavoidable. Perhaps we could all meet up for lunch on thursday, maybe by the prince hotel pool? (Off the marketplace) Looking forward to meeting up

Re: [openstack-dev] [security] The first version of the Logo for Openstack Security Project

2015-10-21 Thread Clark, Robert Graham
I had looped some people into a previous version of the thread but they've not replied yet. I think we ran into this problem before and got a firm "maybe, depending on what it is" from the powers-that-be. Perhaps we should look at a rough-draft alternative logo while we await a verdict? >

Re: [openstack-dev] [security] The first version of the Logo for Openstack Security Project

2015-10-21 Thread Clark, Robert Graham
r the update. We will probably not use any Openstack Logo. > > Here is the first draft of the flyer: > > http://5a6aa6580e900b8e8020-e5e45c5cb10329ebc9fb69948bb1b1a5.r65.cf1.rackcdn.com/ossp-flag-flyer.pdf > > > Please send us your feedback. > > > Yours, > Michae

Re: [openstack-dev] [Security] Introducing Killick PKI

2015-10-12 Thread Clark, Robert Graham
> -Original Message- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: 12 October 2015 02:24 > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [Security] Introducing Killick PKI > > On 10/11/2015 06:50 PM, Robert Collins wrote: > > On 9 October 2015 at 06:47, Adam

[openstack-dev] [Security] Weekly Meeting Agenda

2015-10-08 Thread Clark, Robert Graham
Hi All, I've created an etherpad for today's IRC meeting agenda as we've got a lot to talk about. https://etherpad.openstack.org/p/security-20151008-irc It's listed in the agenda but to be explicit too, we're attempting to plan our schedule for the summit rooms:

Re: [openstack-dev] [openstack-ansible] Reviews needed: openstack-ansible-security

2015-10-08 Thread Clark, Robert Graham
It might be worth re-posting this with a [Security] tag. I know a number of us from the Security project have been quietly keeping tabs on this, it seems like great work. We didn't want to wade in because clearly things were already moving with some good momentum and there's no need for us to

[openstack-dev] [Barbican][Security] Automatic Certificate Management Environment

2015-09-24 Thread Clark, Robert Graham
Hi All, So I did a bit of tyre kicking with Letsencrypt today, one of the things I thought was interesting was the adherence to the burgeoning Automatic Certificate Management Environment (ACME) standard. https://letsencrypt.github.io/acme-spec/ It’s one of the more readable crypto related

[openstack-dev] [Security] Weekly Meeting Agenda

2015-09-23 Thread Clark, Robert Graham
Hi All, I won't be available to run the weekly meeting tomorrow as I'm out travelling, Michael McCune (elmiko) has volunteered to lead the meeting. There's IRC information on our wiki page : https://wiki.openstack.org/wiki/Security Agenda items (Please reply to add any more): *PTL

[openstack-dev] [Neutron] Separate floating IP pools?

2015-09-18 Thread Clark, Robert Graham
Is it possible to have separate floating-IP pools and grant a tenant access to only some of them? Thought popped into my head while looking at the rbac-network spec here: https://review.openstack.org/#/c/132661/4/specs/liberty/rbac-networks.rst Creating individual pools, allowing only some

Re: [openstack-dev] [all][elections] PTL nomination period is now over

2015-09-17 Thread Clark, Robert Graham
Likewise, I'm not sure I missed the candidacy window, I think our late mid-cycle threw things out of whack slightly. When I saw the Magnum nomination I made a mental note to apply today. This is a poor-show on my part and I apologise to the TC, the community and the Security team for this

[openstack-dev] [Security] Leadership / Participation in PTL elections.

2015-09-17 Thread Clark, Robert Graham
Security Folks, Some how I missed the window to nominate myself as a PTL candidate for Security. I have literally no idea how I missed it. I’ve been working on Security project things all week (Anchor and OSSNs mainly) so it’s not like I wasn’t thinking about the Security team! Anyway, I missed

Re: [openstack-dev] [openstack-ansible] Security hardening

2015-09-15 Thread Clark, Robert Graham
Very interesting discussion. The Security project has a published security guide that I believe this would be very appropriate content for, the current guide (for reference) is here: http://docs.openstack.org/sec/ Contributions welcome, just like any other part of the OpenStack docs :) -Rob On

[openstack-dev] [Security] Weekly meeting cancelled due to Mid-Cycle

2015-09-02 Thread Clark, Robert Graham
Security folks, Tomorrow’s mid-cycle is cancelled due to many of us attending the Mid-cycle. -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread Clark, Robert Graham
he summit yet? I think we should all get >together and talk about it. > >Thanks, >Kevin >________ >From: Clark, Robert Graham [robert.cl...@hp.com] >Sent: Tuesday, September 01, 2015 1:35 PM >To: OpenStack Development Mailing List (not for usage

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread Clark, Robert Graham
ficate lifecycle) please see my comments below :) >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >Added a few comments inline. > >- - Douglas Mendizábal > >On 9/1/15 12:03 PM, John Dennis wrote: >> On 09/01/2015 10:57 AM, Clark, Robert Graham wrote: >>>

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread Clark, Robert Graham
.@redhat.com] >Sent: Tuesday, September 01, 2015 10:03 AM >To: OpenStack Development Mailing List (not for usage questions) >Subject: Re: [openstack-dev] [magnum] Difference between certs stored in >keystone and certs stored in barbican > >On 09/01/2015 10:57 AM, Clark, Robert Graha

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread Clark, Robert Graham
>The reason that is compelling is that you can have Barbican generate, >sign, and store a keypair without transmitting the private key over the >network to the client that originates the signing request. It can be >directly stored, and made available only to the clients that need access >to it.

Re: [openstack-dev] Would people see a value in the cve-check-tool?

2015-08-04 Thread Clark, Robert Graham
Hi Elena, This is interesting work, thanks for posting it (and for posting it here on openstack-dev, we are trying to wind down the security ML) though maybe use the [Security] tag in the subject line next time. I think this is a very interesting project, though it’s unclear to me who might

Re: [openstack-dev] [Security] Midcycle Announcement

2015-07-06 Thread Clark, Robert Graham
-Original Message- From: Thierry Carrez [mailto:thie...@openstack.org] Sent: 06 July 2015 09:12 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Security] Midcycle Announcement Clark, Robert Graham wrote: The Security Project will be holding it's mid-cycle

[openstack-dev] [Security] Midcycle Announcement

2015-07-06 Thread Clark, Robert Graham
Hi All, The Security Project will be holding it's mid-cycle meet-up in Seattle 1st to 4th. Topic for the mid-cycle include: *A sprint on v2 of the Security Guide *Bootstrapping OpenStack Crypto Tracking and Verification Work *Security Face - building the appropriate

[openstack-dev] [Security][VMT] Promoting Michael McCune and Travis McPeak to Security CoreSec

2015-07-01 Thread Clark, Robert Graham
With various +1's and no objections I'm pleased to announce that Michael and Travis are now added to the ossg-coresec team. This team assists the VMT with vulnerability metrics, triage and of course OpenStack Security Notes. Congratulations both! -Rob

Re: [openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack

2015-06-17 Thread Clark, Robert Graham
Hi Yang, This is an interesting idea. Most operators running production OpenStack deployments will be using OS-level Mandatory Access Controls already (likely AppArmour or SELinux). I can see where there might be some application on a per-service basis, introducing more security for Swift,

Re: [openstack-dev] [Magnum] TLS Support in Magnum

2015-06-17 Thread Clark, Robert Graham
I think this is an interesting if somewhat difficult to follow thread. It’s worth keeping in mind that there are more ways to handle certificates in OpenStack than just Barbican, though there are often good reasons to use it. Is there a blueprint or scheduled IRC meeting to discuss the options?

[openstack-dev] [Security] Nominating Travis McPeak for Security CoreSec

2015-06-16 Thread Clark, Robert Graham
I'd like to nominate Travis for a CoreSec position as part of the Security project. - CoreSec team members support the VMT with extended consultation on externally reported vulnerabilities. Travis has been an active member of the Security project for a couple of years he's a part of the bandit

[openstack-dev] [Security][VMT] OSSG CoreSec Positions

2015-06-10 Thread Clark, Robert Graham
All, OSSG CoreSec is a private group on Launchpad, it consists of established Security Project team members who are on hand to be called in by the VMT to consult on vulnerabilities and discuss possible mitigations. We require two new members, as with other project ‘cores’ I suggest a

Re: [openstack-dev] [Security] [Bandit] Using multiprocessing/threading to speed up analysis

2015-06-08 Thread Clark, Robert Graham
Interesting work, I guess my initial thought would be - does it need to be faster? Will this work make maintenance and the addition of features more difficult? -Rob On 08/06/2015 08:26, Ian Cordasco ian.corda...@rackspace.com wrote: Hey everyone, I drew up a blueprint

Re: [openstack-dev] [security] Nominating Mike McCune as Security-Doc Core

2015-05-23 Thread Clark, Robert Graham
+1 from me On 22 May 2015, at 13:55, Nathan Kinder nkin...@redhat.com wrote: On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote: To the Security and Docs groups as well as other interested parties, I would like to nominate Mike McCune to the Security Guide core. He has been contributing

[openstack-dev] [Security][Glance] Design session for image signing/encryption

2015-05-19 Thread Clark, Robert Graham
All, Is there a session to discuss the image security proposal? https://review.openstack.org/#/c/177948/2/specs/liberty/encrypted-and-authenticated-image-support.rst Cheers -Rob __ OpenStack Development Mailing List (not

Re: [openstack-dev] [security] / IDS + openstack meeting in Vancouver 4:10 Wednesday May 20

2015-05-19 Thread Clark, Robert Graham
Sounds good, I¹m not sure if I¹ll be able to make it, or in fact if TaaS is the way forward, there¹s a few different options in this space and personally I like bump in the wire OVS - something to discuss :) I¹ll try to make it but I expect this is will be a long running discussion. Kind Regard

Re: [openstack-dev] [security] Consensus on security guidance license

2015-05-15 Thread Clark, Robert Graham
Agree Sent from my iPhone On 15 May 2015, at 10:17, Rob Fletcher rfletch@gmail.commailto:rfletch@gmail.com wrote: sgtm On Fri, May 15, 2015 at 10:04 AM, Paul McMillan p...@mcmillan.wsmailto:p...@mcmillan.ws wrote: Works for me. -Paul On May 15, 2015 10:03 AM, Murphy, Grant

[openstack-dev] [Security] Reminder - No IRC meeting this week

2015-05-12 Thread Clark, Robert Graham
Just a quick reminder, the security project IRC meeting is cancelled this week so we can be ready for the summit. -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [Security] CORS Documentation

2015-05-05 Thread Clark, Robert Graham
Hi Michael, Nathaniel might have some insight here, adding him directly. Cheers -Rob From: Michael Krotscheck [mailto:krotsch...@gmail.com] Sent: 05 May 2015 16:33 To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [Security] CORS Documentation

[openstack-dev] [Security] Design Summit Sessions

2015-04-24 Thread Clark, Robert Graham
Hi Security, We have two fishbowl events and one boardroom, I’ve assigned them to activities: [Fishbowl] 20 May, 1350, Vulnerability Management [Boardroom] 21 May, 0950, Security: Work Session [Rebranding] [Fishbowl] 21 May, 1700, Security Tooling Please take a look at the link below and let me

[openstack-dev] [Security] Meeting agenda

2015-04-09 Thread Clark, Robert Graham
Reminder to all, our meeting is today at 1700 UTC on Freenode #openstack-meeting-alt The agenda can be found here: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#Agenda_for_next_meeting * Roll Call * Reminder that the agenda exists * Update on project status *

[openstack-dev] Announcement - The Security Team for OpenStack

2015-04-02 Thread Clark, Robert Graham
The OpenStack Security Group (OSSG) and the OpenStack Vulnerability Management Team (VMT) have historically operated as independent teams, each with a focus on different aspects of OpenStack security. To present a more coherent security posture we are pleased to announce that the OSSG and VMT will

[openstack-dev] [tc] Request to adopt security as a project team

2015-04-02 Thread Clark, Robert Graham
Technical Committee, Please consider this request to recognize the security team as an OpenStack project team. This is a milestone for the OpenStack Security Group and follows from our merging with the VMT. Over the last few years what started as a small working group has become a team of

[openstack-dev] [Security] Agenda for next meeting

2015-03-31 Thread Clark, Robert Graham
Security folks, The agenda for the next security group meeting is up on https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#OpenStack_Security_Group_Meetings As a reminder, this is 1700 UTC on irc.freenode.net #openstack-meeting-alt Cheers -Rob

Re: [openstack-dev] [OSSG] Announcement: I'll be transitioning away from OpenStack

2015-03-17 Thread Clark, Robert Graham
This is a big loss to the community, it’s been a real pleasure working with you over the last three years and I wish you all the best in the future! -Rob From: Bryan D. Payne [mailto:bdpa...@acm.org] Sent: 16 March 2015 21:53 To: OpenStack Development Mailing List Subject:

Re: [openstack-dev] nominating Nathaniel Dillon for security-doc core

2015-03-05 Thread Clark, Robert Graham
On 05/03/2015 21:37, Nathan Kinder nkin...@redhat.com wrote: On 03/05/2015 01:14 PM, Bryan D. Payne wrote: To security-doc core and other interested parties, Nathaniel Dillon has been working consistently on the security guide since our first mid-cycle meet up last summer. In that time he

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-11 Thread Clark, Robert Graham
On 11/12/2014 13:16, Thierry Carrez thie...@openstack.org wrote: George Shuklin wrote: On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

2014-11-12 Thread Clark, Robert Graham
for the last mid-cycle to be helpful, so it might be worthwhile doing again. -Doug M. Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C On 11/7/14, 8:02 PM, Clark, Robert Graham robert.cl...@hp.commailto:robert.cl...@hp.com

[openstack-dev] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

2014-11-07 Thread Clark, Robert Graham
Hi All, How many people would want to attend both the OSSG mid-cycle and the Barbican one? Both expected to be on the west coast of the US. We are trying to work out how/if we should organise these events to take place at adjacent times and if they should be in the same location, back to back

[openstack-dev] [Barbican] Is there an agreed way for plugins to log output

2014-07-17 Thread Clark, Robert Graham
As above, couldn’t see any conventions. Thanks -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican] Etherpad discussion related to ssl certificate workflow CR

2014-07-17 Thread Clark, Robert Graham
We’ve been looking into CA’s that give you an instant response on a certificate signing request (based on various conditions) - I’m not sure that we can easily make this work with the state structures described? Our basic flow is Client —[https|somecreds|some https://somecreds|somecsr]-- CA

Re: [openstack-dev] [Barbican] Barebones CA

2014-07-12 Thread Clark, Robert Graham
: [openstack-dev] [Barbican] Barebones CA On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin

Re: [openstack-dev] [Barbican] Barebones CA

2014-06-26 Thread Clark, Robert Graham
On 26/06/2014 03:43, Nathan Kinder nkin...@redhat.com wrote: On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely

Re: [openstack-dev] [Neutron]One security issue about floating ip

2014-06-26 Thread Clark, Robert Graham
It¹s kinda ugly, if a user through API/Horizon thinks they¹ve isolated a host, it should be isolatedŠ I smell an OSSN here... On 26/06/2014 17:57, Miguel Angel Ajo Pelayo mangel...@redhat.com wrote: Yes, once a connection has past the nat tables, and it's on the kernel connection tracker, it

Re: [openstack-dev] [Barbican] Barebones CA

2014-06-25 Thread Clark, Robert Graham
of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work

[openstack-dev] [Barbican] Barebones CA

2014-06-24 Thread Clark, Robert Graham
Hi all, I’m sure this has been discussed somewhere and I’ve just missed it. Is there any value in creating a basic ‘CA’ and plugin to satisfy tests/integration in Barbican? I’m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some

Re: [openstack-dev] [Barbican] Barebones CA

2014-06-24 Thread Clark, Robert Graham
' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject

Re: [openstack-dev] Periodic Security Checks

2014-06-23 Thread Clark, Robert Graham
I think this is very interesting and would love to see the code for it. The blueprint mentions performing checks beyond what Open Attestation provides, add dynamic check to verify memory - this is probably a stretch goal as process memory verification is extremely complex. I'm not aware of anyone

Re: [openstack-dev] Mid-Cycle Meetup

2014-06-13 Thread Clark, Robert Graham
that needs to be in by J2 is in. That means the API changes. I'll be there. On 05/23/2014 03:09 AM, Clark, Robert Graham wrote: I’d like to attend all the Barbican stuff and I’m sure there’ll be some interesting Keystone things too. I think it’s likely we’d do more

Re: [openstack-dev] Message level security plans. [barbican]

2014-06-13 Thread Clark, Robert Graham
-Original Message- From: Jamie Lennox [mailto:jamielen...@redhat.com] Sent: 13 June 2014 03:25 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Message level security plans. [barbican] On Thu, 2014-06-12 at 23:22 +, Tiwari, Arvind

[openstack-dev] Calling on Security Engineers / Developers / Architects - Time to share your toys

2014-06-12 Thread Clark, Robert Graham
All, TL:DR; Lets work together and openly on security review and threat analysis for OpenStack I've discussed this for a while within the security group but now I'm sharing more widely here on -dev. There are currently scores of security reviews taking place on OpenStack architecture, projects

Re: [openstack-dev] [Neutron][LBaaS] TLS support RST document on Gerrit

2014-06-11 Thread Clark, Robert Graham
Users have to be able to delete their secrets from Barbican, it's a fundamental key-management requirement. -Original Message- From: Eichberger, German Sent: 11 June 2014 17:43 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev]

Re: [openstack-dev] [Neutron][LBaaS] Barbican Neutron LBaaS Integration Ideas

2014-06-10 Thread Clark, Robert Graham
It looks like this has come full circle and we are back at the simplest case. # Containers are immutable # Changing a cert means creating a new container and, when ready, pointing LBaaS at the new container This makes a lot of sense to me, it removes a lot of handholding and keeps Barbican and

Re: [openstack-dev] [Barbican] KMIP support

2014-06-04 Thread Clark, Robert Graham
Thanks guys, you¹ve answered everything I needed to know! I¹ll look to see what help I can provide to the KMIP efforts. -Rob On 04/06/2014 15:18, Becker, Bill bill.bec...@safenet-inc.com wrote: Regarding: Also, is the ³OpenStack KMIP Client² ever going to be a thing?

[openstack-dev] [Barbican] KMIP support

2014-06-01 Thread Clark, Robert Graham
All, I’m researching a bunch of HSM applications and I’m struggling to find much info. I was wondering about the progress of KMIP support in Barbican? Is this waiting on an open python KMIP support? Also, is the “OpenStack KMIP Client” ever going to be a thing?

Re: [openstack-dev] [Neutron] SSL VPN Implemenatation

2014-05-29 Thread Clark, Robert Graham
directly from Babican? 2014-05-01 9:42 GMT-07:00 Clark, Robert Graham robert.cl...@hp.com: Excuse me interrupting but couldn't you treat the key as largely ephemeral, pull it down from Barbican, start the OpenVPN process and then purge the key? It would of course still be resident

Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

2014-05-28 Thread Clark, Robert Graham
Several OSSG members have expressed an interest in reviewing this functionality too. -Rob On 28/05/2014 11:35, Samuel Bercovici samu...@radware.com wrote: This very good news. Please point to the code review in gerrit. -Sam. -Original Message- From: Eichberger, German

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

2014-05-23 Thread Clark, Robert Graham
I’d like to attend all the Barbican stuff and I’m sure there’ll be some interesting Keystone things too. I think it’s likely we’d do more parallel ‘OSSG’ stuff on the Keystone days though I’m free on these dates. From: Bryan Payne bdpa...@acm.orgmailto:bdpa...@acm.org Date: Friday, 23 May

[openstack-dev] [Cinder][OSSG] Security note OSSN-0014 needs Cinder sign off

2014-05-21 Thread Clark, Robert Graham
Hi Cinder folks, Malini from the security group has drafted an OpenStack Security Note for an issue regarding cinder driver permissions that was previously reported to the VMT. Our process for publishing OSSNs requires sign off from two OSSN core and one core of the affected project(s) - we’d

Re: [openstack-dev] A proposal for code reduction

2014-05-21 Thread Clark, Robert Graham
From: Abhijeet Jain [mailto:abhijeet.j...@nectechnologies.in] Sent: 21 May 2014 12:27 To: openstack-dev@lists.openstack.org Subject: [openstack-dev] A proposal for code reduction Hi Openstack-developers, I am Abhijeet Jain. One of the contributor in OpenStack. I was just working on

[openstack-dev] [Barbican] Meeting time moving?

2014-05-20 Thread Clark, Robert Graham
Hi All, At the summit I heard that the Barbican meeting time might be moving, has anything been agreed? Cheers -Rob smime.p7s Description: S/MIME cryptographic signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org

Re: [openstack-dev] [Barbican] Today's Meeting Cancelled

2014-05-19 Thread Clark, Robert Graham
Seems to be the way most people are going, I noticed Ironic announcing the same today. On 19/05/2014 19:46, Jarret Raim jarret.r...@rackspace.com wrote: Barbicaneers, Many of us are just getting back into the swing of things so we are going to go ahead and cancel the meeting today. The main

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

2014-05-08 Thread Clark, Robert Graham
The certificate management that LBaaS requires might be slightly different to the normal flow of things in OpenStack services, after all you are talking about externally provided certificates and private keys. There's already a standard for a nice way to bundle those two elements together,

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

2014-05-08 Thread Clark, Robert Graham
a Neutron requirement (LBaaS, VPNaaS, FWaaS) and maybe as a transition project to an OpenStack wide solution (1 or 2). Option 1 or 2 might be the ultimate goal. Regards, -Sam. From: Clark, Robert Graham [mailto:robert.cl...@hp.com] Sent: Thursday, May 08, 2014

Re: [openstack-dev] Security audit of OpenStack projects

2014-05-02 Thread Clark, Robert Graham
-Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: 02 May 2014 14:23 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Security audit of OpenStack projects On 04/07/2014 12:06 PM, Nathan Kinder wrote: Hi, We

Re: [openstack-dev] [Neutron] SSL VPN Implemenatation

2014-05-01 Thread Clark, Robert Graham
Excuse me interrupting but couldn't you treat the key as largely ephemeral, pull it down from Barbican, start the OpenVPN process and then purge the key? It would of course still be resident in the memory of the OpenVPN process but should otherwise be protected against filesystem disk-residency

Re: [openstack-dev] [ironic] Disk Eraser

2014-01-17 Thread Clark, Robert Graham
On 17/01/2014 08:19, Robert Collins wrote: On 16 January 2014 03:31, Alan Kavanagh alan.kavan...@ericsson.com wrote: Hi fellow OpenStackers Does anyone have any recommendations on open source tools for disk erasure/data destruction software. I have so far looked at DBAN and disk scrubber

Re: [openstack-dev] Incubation Request for Barbican

2013-12-12 Thread Clark, Robert Graham
From: Bryan D. Payne [mailto:bdpa...@acm.org] Sent: 12 December 2013 16:12 To: OpenStack Development Mailing List (not for usage questions) Cc: openstack...@lists.openstack.org; cloudkeep@googlegroups. com; barbi...@lists.rackspace.com Subject: Re: [openstack-dev] Incubation Request for Barbican

Re: [openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

2013-08-07 Thread Clark, Robert Graham
My understanding of such attacks is that they require a point-of-presence within the browser to perform the injection which in turn enables the side channel. As clients/users won't be interacting with the API using a browser I'm not 100% convinced that we need to worry about defending against

[openstack-dev] [OSSN][OSSG] Nova Baremetal Exposes Previous Tenant Data

2013-07-02 Thread Clark, Robert Graham
Nova Baremetal Exposes Previous Tenant Data - ### Summary ### Data of previous tenants may be exposed to new ones when using Nova Baremetal ### Affected Services / Software ### Keystone, Databases ### Discussion ### Nova Baremetal is intended for testing and development only, it is not