Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

2017-01-18 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 We've also talked about fancier non-keystone-auth like x.509 certificate s. - - Douglas On 1/18/17 11:52 AM, Clint Byrum wrote: > Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 > 15:58:19 +: >> >> On Mon, Jan 16, 2017 at 7:35

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

2017-01-18 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I think that a Vault backend would only be valuable to folks who are already using Vault. For deployers who don't yet have a key management solution, a Vault backend would not solve the problem of having to deploy yet another service. In fact it

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

2017-01-18 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm very much interested in an out-of-the-box software-only backend driver for Barbican. I think that one of the reasons people have been hesitant to deploy Barbican is that we claim that our Simple Crypto software-only driver is "not secure in any

[openstack-dev] [barbican] Deprecating Certificate Issuance

2016-09-15 Thread Douglas Mendizábal
? The Barbican team will follow the standard deprecation policy for this feature. All APIs will still ship as part of the Newton release, and we'll begin the deprecation work in the Ocata cycle. Feel free to ask any other questions you may have. Thanks, Douglas Mendizábal Barbican PTL signature.asc

Re: [openstack-dev] [barbican] Secure Setup & HSM-plugin

2016-08-16 Thread Douglas Mendizábal
bican/plugin/crypto/pkcs11.py#L131 > > [2]: > https://github.com/openstack/barbican/blob/c2a7f426455232ed04d2ccef6b3 5c87a2a223977/barbican/plugin/crypto/p11_crypto.py#L63 > > --- System Engineering HSM > > Utimaco IS GmbH Germanusstr. 4 52080 Aache

Re: [openstack-dev] Barbican: Secure Setup & HSM-plugin

2016-08-12 Thread Douglas Mendizábal
ut we don't yet have a blueprint for it. Let me know if you have any more questions. - - Douglas Mendizábal [1] http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi can.conf#n278 [2] http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi can.conf#n255 [3] http://gi

Re: [openstack-dev] Barbican and Security Midcycle confirmed

2016-07-19 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Many thanks to Fernando and IBM for setting this up! - - Doug Mendizábal On 7/19/16 1:49 PM, Fernando J Diaz wrote: > Dear Barbican and Security Contributors, > > It is my pleasure to announce that the Barbican and Security > Mid-cycle meetups

Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

2016-04-22 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 No conflicts with your cross-project session as far as I can tell. In a nutshell BYOK-Push is a model where the customer retains full control of their cryptographic keys. The customer is expected to provide the necessary keys each and every time a

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-14 Thread Douglas Mendizábal
sider their threat models and decide how much risk they're willing to accept. So if implementing a low-security key management backend is what your early adopters want, then please do so in a manner that lets deployers with high security requirements easily use Barbican or other Hardware solutions. - -

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Douglas Mendizábal
by the Magnum service tenant instead of the user's tenant when using Barbican as a backend. The upshot is that a deployer could choose the existing Barbican implementation instead, and other projects may be able to make use of the LocalDEKAndDBKeyManager. - - Douglas Mendizábal [1] http

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Douglas Mendizábal
not result in a direct dependency, there is still work to be done to have a working non-barbican solution. - - Douglas Mendizábal [1] http://git.openstack.org/cgit/openstack/castellan/ On 4/13/16 9:26 AM, rezroo wrote: > Hi Kevin, > > I understand that this is how it is now. My questi

Re: [openstack-dev] [Security][Barbican] BYOK

2016-04-06 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Rob, The Barbican team is dedicating a Fishbowl session to BYOK for the summi t: https://www.openstack.org/summit/austin-2016/summit-schedule/events/9155 - - Doug On 4/6/16 5:12 AM, Clark, Robert Graham wrote: > Hi All, > > We’ve had lots

Re: [openstack-dev] [kite] Seeking core reviewers

2016-03-25 Thread Douglas Mendizábal
Thanks for the patches, Ronald. Adam Young is right, Kite is pretty much dead. I'll add to my list of spring cleaning to-dos to remove Kite from governance and infra. Thanks, Douglas Mendizábal (redrobot) On 3/25/16 10:08 AM, Ronald Bradford wrote: > Thanks all for feedback. > &g

Re: [openstack-dev] [magnum] Streamline adoption of Magnum

2016-03-23 Thread Douglas Mendizábal
Comments inline. - Douglas Mendizábal On 3/23/16 5:15 PM, Fox, Kevin M wrote: > So, this is where things start getting a little ugly and undefined... This is > what I've been able to gather so far, so please someone correct me if I'm > wrong. > > Barbican is the OpenStack

Re: [openstack-dev] [barbican] High Availability

2016-03-22 Thread Douglas Mendizábal
ploy an HA RabbitMQ, and N api-workers. I don't think we'll be setting up the keystone-listeners any time soon. I hope that gives you a good starting point for planning your HA-Barbican delpoyment. Let me know if you have any more questions. Regards, Douglas Mendizábal [1] http://www.haproxy.org

Re: [openstack-dev] [magnum] High Availability

2016-03-19 Thread Douglas Mendizábal
Barbican adoption in the future, and all our users have > Barbican installed in their clouds. If that happens, I have no problem to > have a hard dependency on Barbican. > > Best regards, > Hongbin > > -----Original Message- > From: Douglas Mendizábal [mailto:douglas.mendiza..

Re: [openstack-dev] [magnum] High Availability

2016-03-19 Thread Douglas Mendizábal
Hongbin, I think Adrian makes some excellent points regarding the adoption of Barbican. As the PTL for Barbican, it's frustrating to me to constantly hear from other projects that securing their sensitive data is a requirement but then turn around and say that deploying Barbican is a problem. I

Re: [openstack-dev] [release][all][ptl] preparing to create stable/mitaka branches for libraries

2016-03-19 Thread Douglas Mendizábal
python-barbicanclient 4.0.0 is ready to be branched. - Douglas Mendizábal On 3/9/16 11:26 AM, Doug Hellmann wrote: > It's time to start opening the stable branches for libraries. I've > prepared a list of repositories and the proposed versions from which > we will create stable/mitaka

Re: [openstack-dev] [barbican] Nominating Fernando Diaz for Barbican Core

2016-02-22 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thanks for the +1s everyone. Since there have been no objections, I'd like to welcome Fernando to the Barbican Core team. Thanks, - - Douglas Mendizábal On 2/17/16 11:33 AM, John Wood wrote: > +1 > > On 2/16/16, 12:52 PM,

Re: [openstack-dev] [nova][glance][barbican][kite][requirements] pycrypto vs pycryptodome

2016-02-15 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 One more thing: I forgot to point out that pyca/cryptography is already part of global-requirements. [1] - - Douglas Mendizábal [1] http://git.openstack.org/cgit/openstack/requirements/tree/global-require ments.txt#n25 On 2/15/16 12:24 PM

Re: [openstack-dev] [nova][glance][barbican][kite][requirements] pycrypto vs pycryptodome

2016-02-15 Thread Douglas Mendizábal
. - - Douglas Mendizábal [1] https://cryptography.io/en/latest/ [2] https://github.com/paramiko/paramiko/pull/646 On 2/15/16 6:44 AM, Haïkel wrote: > 2016-02-14 23:16 GMT+01:00 Davanum Srinivas <dava...@gmail.com>: >> Hi, >> >> Short Story: pycryptodome if install

[openstack-dev] [barbican] Nominating Fernando Diaz for Barbican Core

2016-02-15 Thread Douglas Mendizábal
. [1] He’s got an excellent eye for review and I think he would make an excellent addition to the team. As a reminder to our current core reviewers, our Core Team policy is documented in the wiki. [2] So please reply to this thread with your votes. Thanks, - - Douglas Mendizábal [1] http

Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)

2016-01-05 Thread Douglas Mendizábal
up a Barbican instance. - - Douglas Mendizábal On 1/5/16 3:58 PM, Farr, Kaitlin M. wrote: >>> Aiming toward tests that mirror real-world deployment is >>> certainly a good thing, but I don't think we should remove >>> ConfKeyManager. >>> >>>

[openstack-dev] [barbican] Weekly meetings cancelled for Summit

2015-10-23 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Barbicaneers, Since a lot of us are going to be traveling to Tokyo for the Summit next week, I figured we should probably cancel the next couple of weekly meetings. The next weekly meeting will be on Nov 9 @ 2000 UTC. Thanks, Douglas

[openstack-dev] Optional Dependencies

2015-09-29 Thread Douglas Mendizábal
and the project is expected to function without them when using a driver that does not require the lib. I read through the README in openstack/requirements [1] but I didn't see anything about it. Thanks, Douglas Mendizábal [1] https://git.openstack.org/cgit/openstack/requirements/tree/README.rst

Re: [openstack-dev] [Barbican][Security] Automatic Certificate Management Environment

2015-09-28 Thread Douglas Mendizábal
probably phase out the Barbican CMS API, and just support ACME on the front end. - - Douglas Mendizábal On 9/24/15 10:12 AM, Clark, Robert Graham wrote: > Hi All, > > So I did a bit of tyre kicking with Letsencrypt today, one of the > things I thought was interesting was t

Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas

2015-09-21 Thread Douglas Mendizábal
the controller. The certificate download happens > on the controller too. 2) Once we move to service-vm model, where > service-vms could reside on compute hypervisors, where will the > cert download happen? Still on controller in the flow? > > Thanks, Varun > > On 9/

Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas

2015-09-19 Thread Douglas Mendizábal
container reference Since the user grants the lbass user access in step 2, the token generated using the conf file credentials will be accepted by Barbican and the certificate will be made available to lbass. - - Douglas Mendizábal [1] http://docs.openstack.org/developer/barbican/api/quickstart

Re: [openstack-dev] [all][elections] PTL nomination period is now over

2015-09-17 Thread Douglas Mendizábal
/PTL_Elections_September_2015 [2] http://time.is/UTC Douglas Mendizábal On 9/17/15 9:50 AM, Anita Kuno wrote: > On 09/17/2015 08:22 AM, Matt Riedemann wrote: >> >> >> On 9/17/2015 8:25 AM, Tristan Cacqueray wrote: >>> PTL Nomination is now over. The official candidate list i

Re: [openstack-dev] [all][elections] PTL nomination period is now over

2015-09-17 Thread Douglas Mendizábal
in particular for missing this deadline. Thanks, Douglas Mendizábal On 9/17/15 8:49 AM, Flavio Percoco wrote: > On 17/09/15 13:44 +, Tristan Cacqueray wrote: >> On 09/17/2015 01:32 PM, Flavio Percoco wrote: >>> On 17/09/15 13:25 +, Tristan Cacqueray wrote: >>>&

Re: [openstack-dev] [Barbican] Nominating Dave Mccowan for Barbican core

2015-09-14 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 As described in the Barbican Core Team wiki [1] Dave has gotten the requierd +1s and no objections, so I'm happy to welcome him to the Barbican Core reviewer team. Douglas Mendizábal On 9/9/15 11:33 AM, John Wood wrote: > AgreedŠ+1 > >

Re: [openstack-dev] [Barbican] Nominating Dave Mccowan for Barbican core

2015-09-08 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 +1 Dave has been a great asset to the team, and I think he would make an excellent core reviewer. - - Douglas Mendizábal On 9/8/15 11:05 AM, Juan Antonio Osorio wrote: > I'd like to nominate Dave Mccowan for the Barbican core review >

[openstack-dev] [barbican] No IRC meeting tomorrow September 7

2015-09-06 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Barbicaneers, We'll be skipping the weekly IRC meeting tomorrow since I expect most folks will be out due to the US holiday. Thanks, Douglas Mendizábal -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

2015-09-01 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Added a few comments inline. - - Douglas Mendizábal On 9/1/15 12:03 PM, John Dennis wrote: > On 09/01/2015 10:57 AM, Clark, Robert Graham wrote: >> >>> The reason that is compelling is that you can have Barbican >>>

Re: [openstack-dev] Barbican : Regarding the Tempest Tests for Barbican

2015-07-01 Thread Douglas Mendizábal
me if I'm wrong. The automated tests that validate the API are the Functional Tests I linked in my earlier email. - - Douglas Mendizábal On 7/1/15 3:22 PM, Asha Seshagiri wrote: Hi Douglas , Are there any Automated Test cases created for validating the Barbican APIs. Thanks and Regards

Re: [openstack-dev] Barbican : Regarding the Tempest Tests for Barbican

2015-07-01 Thread Douglas Mendizábal
tests to the Tempest repo. It's my understanding that Tempest is moving away from one monolithic repository into a modular approach using tempest-lib. - - Douglas Mendizábal [1] http://git.openstack.org/cgit/openstack/barbican/tree/functionaltest s On 7/1/15 2:12 PM, Asha Seshagiri wrote: Hi All

Re: [openstack-dev] Barbican : Regarding the Tempest Tests for Barbican

2015-07-01 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Asha, Information for running the Functional tests can be found in our official documentation. [1] - - Douglas Mendizábal [1] http://docs.openstack.org/developer/barbican/testing.html#functional-tes ts On 7/1/15 5:08 PM, Asha Seshagiri wrote

Re: [openstack-dev] [all] [stable] No longer doing stable point releases

2015-06-17 Thread Douglas Mendizábal
of all changes landing in the stable branches, and should be able to push a tag immediately after an important fix lands. Asking the packagers to make the determination means that they would have to be aware of every patch landing in every project, which I think is a lot to ask. - - Douglas

Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core

2015-05-25 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Since there are no objections, Chelsea Winfree is now part of barbican-core. Congratulations! - - Douglas Mendizábal On 5/21/15 6:58 PM, Nathan Reller wrote: +1 On Thu, May 21, 2015 at 4:53 PM, Juan Antonio Osorio jaosor...@gmail.com wrote

[openstack-dev] [barbican] Weekly meeting cancelled today

2015-05-25 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, The Barbican weekly meeting is cancelled today because of the US holiday. Meetings will resume next week at the regularly scheduled time . Thanks, - - Douglas Mendizábal -BEGIN PGP SIGNATURE- Comment: GPGTools - https

Re: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core

2015-05-25 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Since there are no objections, Kaitlin Farr is now part of barbican-core. Congratulations! - - Douglas Mendizábal On 5/24/15 12:19 PM, Chad Lung wrote: +1 Chad Lung EMC Cloud Services / I would like to nominate Kaitlin Farr

Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core

2015-05-20 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 +1 from me as well. - - Douglas Mendizábal On 5/18/15 7:38 AM, John Vrbanac wrote: ?+1 John Vrbanac -- - -- *From:* Chad Lung chad.l...@gmail.com *Sent:* Sunday, May

[openstack-dev] [keystone][nova][barbican] VM-spec discussion

2015-05-20 Thread Douglas Mendizábal
to each new vm so that the vm is able to access a secret in Barbican. Thanks, Douglas Mendizábal [1] https://review.openstack.org/#/c/159571/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVXLnnAAoJEB7Z2EQgmLX73nIQAIBJNosFdyYIjhfOg5v51B82 ADZa0PCoTPW9

[openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core

2015-05-19 Thread Douglas Mendizábal
] As a reminder to the rest of the core team, we use the process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to the barbican-core team. Thanks, Douglas Mendizábal [1] http://stackalytics.com/report/contribution/barbican-group/90 -BEGIN PGP SIGNATURE- Comment

Re: [openstack-dev] [trove][zaqar] Trove and Zaqar integration. Summit working session

2015-05-14 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm very much interested in talking with some Keystone folks about this auth issue. I would be willing to dedicate a Barbican Working Session to this discussion if there is a time slot that works for all the interested parties. - - Douglas

Re: [openstack-dev] [Murano] [Mistral] [Zaqar] [Keystone] SSH workflow action

2015-05-14 Thread Douglas Mendizábal
for some of our contributors who find the current Keystone models burdensome. [2] - - Douglas Mendizábal [1] http://lists.openstack.org/pipermail/openstack-dev/2015-May/064196.html [2] http://specs.openstack.org/openstack/barbican-specs/specs/kilo/add-creat or-only-option.html On 5/12/15 8:43 PM, Zane

Re: [openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.

2015-05-14 Thread Douglas Mendizábal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Asha, The reason we support an Unauthenticated Context in Barbican is purely for development purposes. We recommend that all production Barbican deployments use Keystone or an alternative AuthN/AuthZ service in front of Barbican. Setting up a