Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

2016-04-22 Thread Nathan Reller
> Thoughts? Is anyone interested in the pull model or actually implementing it? I say if the answer to that is no then only discuss the push model. Note that I am having a talk on BYOK on Tuesday at 11:15. My talk will go over provider key management, the push model, and the pull model. There

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-14 Thread Nathan Reller
I agree with Doug's comments. Castellan is a generic key manager library that allows symmetric keys, private keys, public keys, certificates, passphrases, and opaque secret data to be stored in a key manager. There is a Barbican implementation that is complete, and a KMIP (Key Management

Re: [openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??

2016-03-21 Thread Nathan Reller
> Red Herring. We don't need HMAC. We need to make better use of the tools in > Rabbit. I'm curious what you mean by this. I'd like to know the lessons learned. > As for HMAC several years/releases ago, what was the issue (just wondering)? > Just to much load on controller nodes to do

Re: [openstack-dev] [barbican] Nominating Fernando Diaz for Barbican Core

2016-02-15 Thread Nathan Reller
+1 He is a great addition to the Barbican community. -Nate On Mon, Feb 15, 2016 at 1:34 PM, Dave McCowan (dmccowan) wrote: > +1 > > On 2/15/16, 12:45 PM, "Douglas Mendizábal" > wrote: > >>-BEGIN PGP SIGNED MESSAGE- >>Hash: SHA512

[openstack-dev] [cinder][nova]Move encryptors to os-brick

2015-11-24 Thread Nathan Reller
> the cinder admin and the nova admin are ALWAYS the same people There is interest in hybrid clouds where the Nova and Cinder services are managed by different providers. The customer would place higher trust in Nova because you must trust the compute service, and the customer would place less

Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

2015-09-18 Thread Nathan Reller
> But that approach looks a little untidy, because tenant admin has to do some infrastructure work. I would think infrastructure work would be part of the admin role. They are doing other things such as creating LBaaS, which seems like an infrastructure job to me. I would think configuring LBaaS

Re: [openstack-dev] [Barbican] Nominating Dave Mccowan for Barbican core

2015-09-09 Thread Nathan Reller
+1 Dave is a great member of the team, and I think he has earned it. -Nate On Tue, Sep 8, 2015 at 12:13 PM, Douglas Mendizábal <> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > +1 > > Dave has been a great asset to the team, and I think he would

Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican

2015-06-10 Thread Nathan Reller
You would need to update the KMIPSecretStore or create a new SecretStore to handle this. The logic should be behind the SecretStore abstraction because Barbican only allows one active secret store. I would think that the configuration file would have a listing of available KMIP server URLs. The

Re: [openstack-dev] Barbican : Retrieval of the secret in text/plain format generated from Barbican order resource

2015-06-08 Thread Nathan Reller
Asha, When you say you want your key in ASCII does that also mean putting the bytes in hex or base64 format? Isn't ASCII only 7 bits? -Nate On Mon, Jun 8, 2015 at 1:17 AM, Asha Seshagiri wrote: Thanks John for your response. I am aware that application/octet-stream

Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican

2015-06-05 Thread Nathan Reller
You would just store the url in the DTO. You will need to have the KMIP secret store return the KMIP server that handled the request in the metadata that is returned to Barbican Core. each kmip server url would need to be in the barbican-api.conf file? I would assume that would be true. I'm

Re: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core

2015-05-21 Thread Nathan Reller
+1 On Thu, May 21, 2015 at 12:29 PM, John Wood wrote: +1 From: Douglas Mendizábal Sent: Tuesday, May 19, 2015 7:09 PM To: OpenStack Development Mailing List (not for usage questions) Subject:

Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core

2015-05-21 Thread Nathan Reller
+1 On Thu, May 21, 2015 at 4:53 PM, Juan Antonio Osorio wrote: +1 On Thu, May 21, 2015 at 11:05 PM, John Wood wrote: +1 From: Chad Lung Sent: Sunday, May 17, 2015 6:34 PM To:

Re: [openstack-dev] [barbican] Secret store API validation

2014-11-18 Thread Nathan Reller
It seems we need to add some validation to the process Yes, we are planning to add some validation checks in Kilo. I would submit a bug report for this. The big part of the issue is that we need to be clearer about the expected input types to the API as well as the SecretStores. This was a big

Re: [openstack-dev] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

2014-11-11 Thread Nathan Reller
How many people would want to attend both the OSSG mid-cycle and the Barbican one? +1 -Nate ___ OpenStack-dev mailing list

Re: [openstack-dev] [Barbican] Nominating Juan Antonio Osorio Robles for barbican-core

2014-11-06 Thread Nathan Reller
+1 for me -Nate - Hi All, I would like to nominate Juan Antonio Osorio Robles to the barbican-core team. Juan has been consistently giving us very well thought out and constructive reviews for Barbican, python-barbicanclient and

Re: [openstack-dev] [Barbican] Nominating Steve Heyman for barbican-core

2014-11-06 Thread Nathan Reller
+1 for me -Nate ___ OpenStack-dev mailing list

Re: [openstack-dev] [OpenStack] [Barbican] [Cinder] Cinder and Barbican

2014-10-20 Thread Nathan Reller
is Cinder capable today to use Barbican for encryption? Yes, Cinder has a KeyManager abstraction, and one of the implementations is Barbican. Checkout We have successfully used Barbican within Cinder. I think the python-barbicanclient has recently changed. This change

Re: [openstack-dev] [Barbican] KMIP support

2014-06-03 Thread Nathan Reller
I was wondering about the progress of KMIP support in Barbican? As John pointed out, JHU/APL is working on adding KMIP support to Barbican. We submitted the first CR to add a Secret Store interface into Barbican. The next step is to add a KMIP implementation of the Secret Store. Is this