Friday, 2015-07-31

*** nelsnelson has joined #openstack-barbican		00:22
*** vivek-ebay has quit IRC		01:24
*** dimtruck is now known as zz_dimtruck		01:32
*** zz_dimtruck is now known as dimtruck		01:48
*** alee has quit IRC		02:06
*** alee_ has joined #openstack-barbican		02:07
*** openstackgerrit has quit IRC		02:31
*** openstackgerrit has joined #openstack-barbican		02:32
*** rm_you\| has quit IRC		02:39
*** rm_you has joined #openstack-barbican		02:40
*** rm_you has quit IRC		02:40
*** rm_you has joined #openstack-barbican		02:40
*** nelsnelson has quit IRC		02:47
*** dimtruck is now known as zz_dimtruck		03:08
*** h00327910__ has quit IRC		03:28
*** SheenaG has joined #openstack-barbican		03:40
*** SheenaG has quit IRC		03:50
*** nkinder has quit IRC		03:52
*** vivek-ebay has joined #openstack-barbican		04:21
*** xaeth_afk is now known as xaeth		04:24
*** xaeth is now known as xaeth_afk		05:04
*** tkelsey has joined #openstack-barbican		05:07
*** nickrmc83 has joined #openstack-barbican		05:11
*** tkelsey has quit IRC		05:12
*** nickrmc83 has quit IRC		05:12
*** nickrmc83 has joined #openstack-barbican		05:14
*** rm_work is now known as rm_work\|away		05:16
*** jaosorior has joined #openstack-barbican		05:23
*** ig0r_ has joined #openstack-barbican		05:25
*** Nirupama has joined #openstack-barbican		05:32
*** kebray has joined #openstack-barbican		05:47
*** shohel has joined #openstack-barbican		05:51
*** ig0r__ has joined #openstack-barbican		06:11
*** ig0r_ has quit IRC		06:12
*** vivek-ebay has quit IRC		06:46
openstackgerrit	OpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex https://review.openstack.org/206901	06:54
*** kebray has quit IRC		07:43
*** jaosorior has quit IRC		07:44
*** jaosorior has joined #openstack-barbican		07:47
openstackgerrit	Merged openstack/python-barbicanclient: Adding Documentation for running Functional Tests on the Python-Barbican Client https://review.openstack.org/205761	07:50
*** madhuri has quit IRC		08:09
*** tkelsey has joined #openstack-barbican		08:12
openstackgerrit	Merged openstack/python-barbicanclient: Remove unneeded dependency in tox.ini https://review.openstack.org/207231	08:29
*** shohel has quit IRC		08:52
*** shohel has joined #openstack-barbican		09:25
*** mmdurrant has quit IRC		10:09
*** DTadrzak has quit IRC		10:26
*** everjeje has joined #openstack-barbican		10:46
*** nickrmc83 has quit IRC		10:52
*** ig0r__ has quit IRC		11:15
*** ig0r_ has joined #openstack-barbican		11:19
*** mmdurrant has joined #openstack-barbican		11:58
*** DTadrzak has joined #openstack-barbican		12:00
*** peter-hamilton has joined #openstack-barbican		12:05
*** kfarr has joined #openstack-barbican		12:09
*** Nirupama has quit IRC		12:28
*** SheenaG has joined #openstack-barbican		12:33
*** kfarr1 has joined #openstack-barbican		12:42
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Add managed objects hierarchy https://review.openstack.org/191884	12:42
*** kfarr has quit IRC		12:46
*** kfarr1 has quit IRC		12:46
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Add unit tests for managed objects https://review.openstack.org/206649	12:57
*** kfarr has joined #openstack-barbican		13:02
*** zz_dimtruck is now known as dimtruck		13:03
*** tzatti has joined #openstack-barbican		13:14
alee_	redrobot, ping	13:28
alee_	redrobot, still have a couple of specs awaiting review if we're trying to get them in this week.	13:28
alee_	jaosorior, jvrbanac , kfarr , chellygel ^^	13:29
alee_	https://review.openstack.org/127823	13:29
alee_	https://review.openstack.org/129377	13:29
*** dimtruck is now known as zz_dimtruck		13:34
*** zz_dimtruck is now known as dimtruck		13:46
*** jaosorior has quit IRC		13:54
*** spotz_zzz is now known as spotz		14:01
*** pglass has joined #openstack-barbican		14:09
*** nelsnelson has joined #openstack-barbican		14:10
*** dimtruck is now known as zz_dimtruck		14:14
*** tzatti has quit IRC		14:15
*** tzatti has joined #openstack-barbican		14:15
*** diazjf has joined #openstack-barbican		14:18
*** h00327910__ has joined #openstack-barbican		14:23
*** tzatti has quit IRC		14:24
*** tzatti has joined #openstack-barbican		14:25
*** nelsnelson has quit IRC		14:30
*** nelsnelson has joined #openstack-barbican		14:31
*** zz_dimtruck is now known as dimtruck		14:32
*** Kevin_Bishop has joined #openstack-barbican		14:45
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Add managed objects hierarchy https://review.openstack.org/191884	14:47
*** kfarr has quit IRC		14:50
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Add unit tests for managed objects https://review.openstack.org/206649	14:52
*** vivek-ebay has joined #openstack-barbican		14:55
*** chlong has quit IRC		14:57
openstackgerrit	Fernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation https://review.openstack.org/207202	14:57
*** vivek-ebay has quit IRC		15:03
*** xaeth_afk is now known as xaeth		15:06
*** kfarr has joined #openstack-barbican		15:07
*** alee has joined #openstack-barbican		15:09
*** chlong has joined #openstack-barbican		15:11
*** edtubill has joined #openstack-barbican		15:16
*** kfarr has quit IRC		15:16
*** kebray has joined #openstack-barbican		15:18
*** kfarr has joined #openstack-barbican		15:32
*** vivek-ebay has joined #openstack-barbican		15:34
redrobot	alee reviewing now... also trying to get some other rackers to take a look	15:37
alee	redrobot, great thanks	15:38
*** SheenaG has quit IRC		15:41
*** vivek-ebay has quit IRC		15:42
*** xaeth is now known as xaeth_afk		15:43
*** shohel has quit IRC		15:52
openstackgerrit	Ade Lee proposed openstack/python-barbicanclient: Add ability to add and list CAs https://review.openstack.org/207293	16:06
redrobot	alee +2 x 2	16:11
alee	redrobot, thanks -- can you rally some of the other troops?	16:12
redrobot	alee just poked at hockeynut and jvrbanac ... hopefully they'll be able to jump on this before lunch.	16:12
alee	hockeynut, jvrbanac , kfarr , chellygel ?	16:12
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Update the key manager API https://review.openstack.org/203227	16:13
*** tkelsey has quit IRC		16:13
alee	hockeynut, just saw your comment about "enrollment_templates" vs "templates" -- I'm open to using something more descriptive like "enrollment-templates" - but I think thats probably not needed.	16:15
alee	we're unlikely to have other kinds of "templates" added - and if we do , they could be more restrictively named.	16:16
alee	redrobot, what do you think?	16:16
*** kfarr has quit IRC		16:17
redrobot	alee hockeynut I can't think of any other templates we would need from a CA?	16:17
*** SheenaG has joined #openstack-barbican		16:17
redrobot	alee hockeynut afaict the only place where CAs are going to be significantly different is in ordering certs.	16:18
hockeynut	redrobot alee ok good, just didn't want to end up in a situation where we have 3 types of templates and cas/templates would be confusing	16:18
alee	redrobot, hockeynut -- perhaps revocation-templates?	16:19
redrobot	alee in that case I think something like	16:19
redrobot	cas/templates/issuing	16:19
redrobot	and	16:19
redrobot	cas/templates/revocation	16:20
alee	renewal-templates	16:20
redrobot	or something like that makes more sense than hyphenating everything...	16:20
*** kfarr has joined #openstack-barbican		16:21
redrobot	hockeynut so maybe we will have 3 types of templates >_<	16:22
alee	agreed	16:22
alee	/cas/templates/issuing , /ca/templates/revocation, /ca/templates/renewal	16:23
alee	issuing <-> enrollment?	16:23
redrobot	issuing/enrollment/provisioning ... not sure which the correct term would be here	16:24
redrobot	I don't have a strong preference for any of them...	16:24
alee	in dogtag, we talk about enrollment	16:24
*** vivek-ebay has joined #openstack-barbican		16:25
alee	if you are going to use "issuing" -- we'll want to use "issuance"	16:25
alee	to match up with revocation	16:25
redrobot	kfarr ping	16:25
alee	and that sounds wonky to me ..	16:26
alee	redrobot, so my preference is enrollment	16:26
redrobot	alee was looking at https://letsencrypt.org/howitworks/ ... they just call it "getting" >_>	16:26
redrobot	alee I'm ok with "enrollment"	16:27
alee	redrobot, ok - I'll make that change	16:28
hockeynut	coolness	16:28
redrobot	alee I think just templates/enrollment for now... we can add revocation and renewal if/when needed.	16:30
alee	hockeynut, dont forget https://review.openstack.org/#/c/127823/'	16:30
hockeynut	<click>	16:30
alee	redrobot, agreed -- I 'll make a note of why we are adding this though	16:30
*** tkelsey has joined #openstack-barbican		16:39
*** tkelsey has quit IRC		16:43
openstackgerrit	Ade Lee proposed openstack/barbican-specs: Add CA enrollment templates spec added https://review.openstack.org/129377	16:46
alee	redrobot, hockeynut updated	16:47
*** crc32 has joined #openstack-barbican		16:47
*** peter-hamilton has quit IRC		16:49
*** tzatti has quit IRC		16:49
kfarr	redrobot pong	16:50
jvrbanac	alee, I have a couple questions regarding your specs. I have a lunch thing to go to, so I can't chat now. However, If you have some time this afternoon, perhaps can setup some google hangout time to talk through this really quick. redrobot you interesting in something like that?	16:50
*** tzatti has joined #openstack-barbican		16:50
alee	jvrbanac, sure	16:50
alee	hockeynut, if you want to join too, we can get the specs all squared away	16:51
alee	jvrbanac, just ping me when you're back	16:52
hockeynut	put the time here and if I'm available I'll join. I'm actually off this afternoon but I will be on and offline	16:52
alee	hockeynut, If you can't , feel free to just add your +2's :)	16:55
alee	jvrbanac, do you have a specific time in mind?	16:55
*** chlong has quit IRC		17:09
*** pglbutt has joined #openstack-barbican		17:11
*** pglass has quit IRC		17:12
*** pglass has joined #openstack-barbican		17:13
*** pglbutt has quit IRC		17:16
*** rellerreller has joined #openstack-barbican		17:20
*** SheenaG has quit IRC		17:38
*** crc32 has quit IRC		17:44
*** SheenaG has joined #openstack-barbican		17:44
*** crc32 has joined #openstack-barbican		17:52
*** crc32 has quit IRC		17:54
*** crc32 has joined #openstack-barbican		17:54
*** crc32 has quit IRC		17:56
*** pglbutt has joined #openstack-barbican		17:58
*** pglbutt has quit IRC		17:58
*** pglass has quit IRC		18:01
*** crc32 has joined #openstack-barbican		18:02
*** SheenaG has quit IRC		18:04
*** tzatti has quit IRC		18:04
*** tzatti has joined #openstack-barbican		18:05
*** kfarr has left #openstack-barbican		18:15
*** kfarr_ has joined #openstack-barbican		18:15
openstackgerrit	Fernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation https://review.openstack.org/207202	18:33
openstackgerrit	Christopher Solis proposed openstack/barbican: Implement models and repositories for KMIP servers https://review.openstack.org/207192	18:33
diazjf	hockeynut, redrobot, https://review.openstack.org/#/c/196876/ can I get a +A!!	18:36
*** kfarr has joined #openstack-barbican		18:37
*** tkelsey has joined #openstack-barbican		18:40
*** tzatti has quit IRC		18:43
*** tzatti has joined #openstack-barbican		18:44
*** tkelsey has quit IRC		18:44
*** tzatti has quit IRC		18:47
redrobot	diazjf ... I feel like a jerk for not reviewing this, but I'm focusing on BPs today... :(	18:49
diazjf	redrobot, no worries at all, take your time!!! :-D	18:50
diazjf	just wanted to know if it was on a queue of things to review	18:51
*** pglass has joined #openstack-barbican		18:51
*** kfarr has quit IRC		18:53
openstackgerrit	Kevin Bishop proposed openstack/barbican: Add PUT support for generic container types https://review.openstack.org/207249	18:54
kfarr_	redrobot, did you ping earlier?	18:55
redrobot	kfarr_ yeah! I was hoping you'd have some time to look at a couple of blueprints?	18:56
redrobot	kfarr_ specifically ade's BPs, and https://review.openstack.org/#/c/174318/	18:56
*** kfarr has joined #openstack-barbican		18:57
kfarr	redrobot, sure! any ones in particular?	18:58
*** vivek-eb_ has joined #openstack-barbican		18:58
*** vivek-ebay has quit IRC		18:59
redrobot	kfarr https://review.openstack.org/#/c/129377/	19:00
redrobot	kfarr https://review.openstack.org/#/c/127823/	19:00
redrobot	kfarr https://review.openstack.org/#/c/207317/	19:00
*** kfarr_ has quit IRC		19:00
redrobot	kfarr https://review.openstack.org/#/c/174318/	19:00
redrobot	kfarr in no particular order.	19:00
kfarr	redrobot, got it!	19:00
*** Kevin_Bishop has quit IRC		19:05
*** kfarr1 has joined #openstack-barbican		19:07
redrobot	elmiko ping	19:07
elmiko	redrobot: hey	19:07
redrobot	elmiko hey, quick question bc I don't want to rtfm. Is there an API WG guidance on error messages. Specifically interested in the format of the JSON object returned from an API.	19:08
alee_	redrobot, still trying to rally the troops for the specs?	19:08
redrobot	alee_ yep... I think I may have enlisted kfarr :)	19:08
alee_	go kfarr !	19:09
elmiko	redrobot: afaik that is something we are still working on. etoews has a spec up, i think. 1sec	19:09
* elmiko digs		19:09
alee_	what about hockeynut and jvrbanac ?	19:09
elmiko	redrobot: this is as far as we've gotten https://review.openstack.org/#/c/167793/	19:10
redrobot	elmiko awesome, thanks! I'll add that CR to my watch list	19:10
jvrbanac	alee, my afternoon has been crazy so far. Regarding the copy spec, I'm trying to figure out the probably we're actually solving here. Is it that someone could delete a secret?	19:11
elmiko	redrobot: etoews has been out of town, but he should be back next week. i'd expect it to pickup after that.	19:11
*** kfarr1 has quit IRC		19:11
jvrbanac	alee, so having a individual secret per volume is where the copy is used?	19:11
redrobot	jvrbanac the use case is that cinder already does a copy by retrieving and then storing the secret again	19:12
jvrbanac	redrobot, but why?	19:12
alee	jvrbanac, if I recall correctly, the secret is copied when you want to have cloned volumes	19:12
jvrbanac	redrobot, it feels like they're working around a behavior of barbican.	19:13
redrobot	jvrbanac they need to be able to delete the secret when the volume is deleted	19:13
redrobot	jvrbanac and reference counting a single secret is fragile	19:13
jvrbanac	redrobot, ahh I see	19:13
kfarr	Right, it's for the case where you clone an encrypted volume, then delete the original volume, which also deleted the associated encryption key	19:14
jvrbanac	redrobot, so they just want a 1-1 mapping	19:14
jvrbanac	interesting...	19:14
redrobot	jvrbanac yep... and this BP makes the copying a little more secure by keeping the secret inside barbican for the copying process.	19:14
jvrbanac	redrobot, ok... originally, I thought this kind of thing was where consumers was to help	19:15
jvrbanac	redrobot, since consumers allowed for someone to register their interest in the secret	19:15
redrobot	jvrbanac yeah, but they had a good argument for not using consumers... which I can't recall right now.	19:15
*** kebray has quit IRC		19:16
kfarr	mm I think it's because castellan wouldn't be able to support consumers	19:16
redrobot	kfarr yeah, that would make sense	19:18
kfarr	although (I put this in a comment on the spec) joel-coffman pointed out earlier this week that copy isn't really a standard key manager operation, and put out this merge request https://review.openstack.org/#/c/206126/	19:19
kfarr	to remove copy from castellan	19:20
redrobot	kfarr I see... interesting discussion to be had at mid-cycle then...	19:21
*** Kevin_Bishop has joined #openstack-barbican		19:21
redrobot	so PCKS#11 does support it but KMIP does not.	19:21
*** SheenaG has joined #openstack-barbican		19:21
kfarr	Yeah, probably better in person than over chat	19:21
redrobot	So the open question would be, do we want Castellan to support it, and force the KMIP castellan impl to do a retrieve/store ?	19:22
kfarr	Yeah, I guess the alternative would be to do the retrieve/store on the Cinder side of things when cloning and remove copy and not worry about the Barbican implementation	19:24
kfarr	If cloning volumes is the only use case	19:24
redrobot	i believe Cinder is already doing that... The Castellan question is still relevant I think.	19:25
*** kfarr1 has joined #openstack-barbican		19:26
*** ig0r_ has quit IRC		19:26
alee_	redrobot, kfarr, I'm ok with waiting till next week to decide if we really want this or not. I had put it in because of what I was seeing cinder doing - and figured that retrieving and storing keys could be done much more securely by keeping them in barbican.	19:29
kfarr	Yes, alee_ thanks so much for offering to implement the feature!	19:30
alee_	if we think no one is actually going to use this - there is no point in putting it in	19:30
alee_	kfarr, at the time, I thought this would be a trivial uncontroversial spec	19:31
alee_	chellygel, hockeynut jvrbanac -- I need a workflow on https://review.openstack.org/#/c/129377/	19:32
*** openstack has joined #openstack-barbican		19:33
*** openstackstatus has joined #openstack-barbican		19:33
*** ChanServ sets mode: +v openstackstatus		19:33
*** kfarr1 has quit IRC		19:33
redrobot	alee_ do you have time to look at https://review.openstack.org/#/c/174318/	19:34
jvrbanac	alee, I could see a use case for copying secrets to another barbican in a different regions or a federated barbican.	19:34
*** vivek-ebay has joined #openstack-barbican		19:34
alee_	jvrbanac, yeah - its the kind of thing which - if its there - will end up haivng uses I think.	19:35
*** vivek-eb_ has quit IRC		19:36
alee	redrobot, that looks like something I need to read up a bit on -- not sure if I can get to it today.	19:38
*** vivek-eb_ has joined #openstack-barbican		19:38
*** vivek-ebay has quit IRC		19:40
*** everjeje has quit IRC		19:42
elmiko	kfarr: how do you feel about a patch for the castellan docs to show a simple example of using castellan.key_manager.API to get a km and create a key or something?	19:43
elmiko	just so that new folks now how to use the basic elements of the lib	19:43
elmiko	*know	19:43
kfarr	elmiko more castellan docs would be great	19:45
elmiko	kfarr: cool, i might toss up a patch	19:45
kfarr	I've been wanting to add more, but have had other priorities	19:46
elmiko	totally understandable, that's why i asked. just wanted to see if anyone else had something in flight.	19:46
*** rm_work\|away is now known as rm_work		19:49
*** silos has joined #openstack-barbican		19:53
*** silos has left #openstack-barbican		19:53
kfarr	elmiko, not yet!	19:53
elmiko	kfarr: ack	19:53
*** everjeje has joined #openstack-barbican		19:54
openstackgerrit	Fernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation https://review.openstack.org/207202	19:55
*** kfarr has quit IRC		20:00
*** vivek-eb_ has quit IRC		20:01
*** vivek-ebay has joined #openstack-barbican		20:01
redrobot	elmiko it would be awesome to get castellan docs.	20:05
* redrobot makes a note to publish to https://docs.openstack.org/developer/castellan		20:05
elmiko	redrobot++	20:06
rm_work	castellannnnnn	20:06
elmiko	well, i did add some on my configuration change =)	20:06
rm_work	https://review.openstack.org/#/c/191884/9	20:06
rm_work	https://review.openstack.org/#/c/191884/9	20:06
rm_work	https://review.openstack.org/#/c/191884/9	20:06
elmiko	cough https://review.openstack.org/#/c/206180/	20:06
*** vivek-ebay has quit IRC		20:07
rm_work	yes yes	20:07
rm_work	the other chain needs to get moving though >_>	20:07
elmiko	true, i'll try and do some reviews there	20:08
rm_work	redrobot / rellerreller ^^	20:09
rm_work	https://review.openstack.org/#/c/191884/9	20:09
rm_work	WTB +2 +A	20:09
redrobot	rm_work BP blueprint is today, so all spec CRs got bumped to the top of my review queue	20:09
rm_work	<_<	20:10
*** kfarr has joined #openstack-barbican		20:12
redrobot	rm_work s/BP bluerpint/BP deadline/g	20:13
*** ChanServ sets mode: +o redrobot		20:13
*** redrobot changes topic to "Barbican Liberty Sprint Aug 5-7 https://etherpad.openstack.org/p/barbican-liberty-midcycle"		20:14
*** redrobot changes topic to "Barbican Liberty Mid-Cycle Sprint Aug 5-7 https://etherpad.openstack.org/p/barbican-liberty-midcycle"		20:14
redrobot	last call for pycharm licenses	20:20
diazjf	redrobot, looks good. excited to attend the sprint	20:20
elmiko	redrobot: pycharm licenses?	20:21
redrobot	elmiko we've had an open source license for PyCharm for the last 2 years. About to renew it, but they're issuing per-user licenses now, so I need to get a head count.	20:21
elmiko	redrobot: ah, very cool	20:22
* redrobot is a vim hipster and does not use PyCharm		20:22
elmiko	hehe, me too =)	20:22
elmiko	although we have a few folks who enjoy pycharm	20:22
redrobot	JetBrains makes solid IDEs	20:22
*** kebray has joined #openstack-barbican		20:22
elmiko	+1	20:23
redrobot	I don't think I would have lasted as long as I did as a Java developer without IntelliJ	20:23
elmiko	oh man, you need an ide for java	20:23
redrobot	yeah, my vim-fu is strong, but not java strong :-P	20:24
elmiko	haha, totally. i tried it once... once.	20:24
redrobot	elmiko lol	20:24
*** diazjf has left #openstack-barbican		20:25
elmiko	i actually did get an eclipse-vim integration layer working. it was pretty cool, but still not up for the task	20:25
*** edtubill has left #openstack-barbican		20:27
alee_	redrobot, I'm curious - whats the headcount?	20:36
redrobot	alee_ 5 so far	20:36
alee_	interesting - I would have expected more	20:37
rm_work	redrobot: really only 5?	20:39
rm_work	well, i am excited for new license, i am literally stalled on py-dev :P	20:39
redrobot	rm_work yup... all the cool kids are using vim now	20:39
rm_work	just went and did other stuff for a bit	20:39
rm_work	lol	20:39
rm_work	i mean i love VIM, and it's great for single-file stuff	20:40
rm_work	but	20:40
rm_work	for debugging unit tests, and development of large integrated systems.... WTB PyCharm	20:40
redrobot	vim + pdb ftw!	20:40
*** tkelsey has joined #openstack-barbican		20:40
elmiko	redrobot++	20:42
*** tkelsey has quit IRC		20:45
*** kebray has quit IRC		20:50
*** kfarr has quit IRC		20:54
*** kebray has joined #openstack-barbican		20:57
*** Kevin_Bishop has quit IRC		21:04
*** vivek-ebay has joined #openstack-barbican		21:04
*** dimtruck is now known as zz_dimtruck		21:04
*** darrenmoffat has quit IRC		21:07
*** zz_dimtruck is now known as dimtruck		21:07
*** vivek-ebay has quit IRC		21:08
*** darrenmoffat has joined #openstack-barbican		21:08
redrobot	rm_work alee_ jetbrains email sent... probably won't get licenses until Monday.	21:09
redrobot	rm_work alee_ I'll forward them as soon as I get them.	21:09
*** kebray has quit IRC		21:09
alee_	redrobot, cool thanks	21:09
*** SheenaG has quit IRC		21:13
*** rm_you has quit IRC		21:13
*** Kevin_Bishop has joined #openstack-barbican		21:16
rm_work	kk thanks redrobot	21:18
rm_work	why did they change i wonder? too much abuse?	21:18
redrobot	rm_work no idea... abuse seems likely though	21:18
jvrbanac	alee, I'm trying to understand the use for your enrollment spec.	21:27
jvrbanac	alee, I know dogtag supports various profiles; however, I'm trying to figure out where this fits with other CAs	21:28
jvrbanac	alee, I'm probably just missing something here	21:28
alee	jvrbanac, there are several ways in which to request a cert	21:28
*** rellerreller has quit IRC		21:29
alee	one is by using something like "simple-cmc", "or "fullcmc" or "stored_key"	21:29
alee	those are the standard ways of doing requesting a cert	21:29
alee	and they take standard attributes	21:29
alee	a final way -- and the first one we implemented is "custom"	21:30
alee	it allows you to request a cert from a particular ca using thats ca- specific parameters	21:30
alee	so if symantec or dogtag wants you to add some parameter that is not common to other cas	21:30
redrobot	jvrbanac BP provides an API to discover what the different required fields are, for a particular CA	21:31
alee	or if you want a special kind of cert that the ca provides ..	21:31
alee	exactly	21:31
*** superflyy has joined #openstack-barbican		21:31
redrobot	it should prove useful for symantec-specific certs	21:32
*** crc32 has quit IRC		21:34
jvrbanac	alee, interesting... so, is the idea that someone just hits the endpoint instead of having to go to our documentation?	21:35
alee	jvrbanac, its not our documentation -- its the documentation for that ca ..	21:35
redrobot	yup, dynamic docs if you will...	21:36
alee	jvrbanac, (for the custom case)	21:36
alee	but yes , for the default case too	21:36
alee	dynamic docs :)	21:36
redrobot	I don't think it would be terribly useful in python-barbicanclient, but it would be awesome for Horizon	21:37
redrobot	they could parse the response and create a custom form with all the required fields	21:37
*** dimtruck is now known as zz_dimtruck		21:37
alee	redrobot, yup	21:37
alee	redrobot, that was the goal -- client generating whatever forms they needed - when we implemented this in dogtag	21:38
*** rm_you has joined #openstack-barbican		21:38
*** rm_you has quit IRC		21:38
*** rm_you has joined #openstack-barbican		21:38
jvrbanac	redrobot, that sounds hella dangerous.	21:38
alee	jvrbanac, why?	21:39
alee	jvrbanac, its up the ca ultimately as to whether they will approve the cert request?	21:39
alee	jvrbanac, and the ca is what is providing the data that needs to be shared	21:40
redrobot	yeah, we've talked about it with reaperhulk before, and he agreed that a discovery API is necessary to deal with CA differences.	21:40
jvrbanac	alee, I was referring to using a third-party service to determine what ends up getting submitted through your frontend system. I guess it's a probably with any discovery api, it just feels dangerous.	21:42
jvrbanac	redrobot, ^	21:42
jvrbanac	s/probably/problem/	21:42
alee	jvrbanac, barbican is a front end for ca's - its not a ca itself. so it needs to know how to communcate with cas and pas that info to the clients.	21:43
jvrbanac	alee, I was referring to a frontend like Horizon	21:44
redrobot	jvrbanac I do agree, dynamic form building from api responses sounds scary... we'll just have to keep our eye on the Horizon bits to make sure they're not shooting themselves in the foot.	21:44
jvrbanac	redrobot, famous last words right?	21:48
redrobot	jvrbanac :)	21:49
jvrbanac	alee, sooo if this indicates required fields then we would have to have separate profiles for DV, EV, SANs, etc per plugin right?	21:52
alee	jvrbanac, potentially -- dependss on the plugin	21:53
alee	jvrbanac, different plugins will choose to handle different type of certs differently	21:55
redrobot	jvrbanac I would think that each symantec offering would have a different profile, yes.	21:58
jvrbanac	alee, redrobot, well, If I understand things correctly, any reseller is going to require organization info for validation of an OV. So every plugin that supported provisioning of an OV would also need that correct?	21:58
jvrbanac	alee, redrobot, I'm just wondering how big the code behind this discovery api will become.	22:00
alee	jvrbanac, that seems logical. I think we need to explore these kinds of questions when we decide to add new types of certs (profiles) to the common api.	22:02
alee	jvrbanac, I dont think its too big -- in the custom case, we defer to the plugins to provide whatever info they wish	22:02
alee	jvrbanac, in the common api - we provide whatever we choose to syupport	22:03
*** redrobot_mobile has joined #openstack-barbican		22:04
alee	jvrbanac, no one said building a common api for all cas was easy -- thats why we solve the simplest and most common cases first -- and provide a mechanism for the custom cases if needed.	22:05
alee	the discovey api facilitates both	22:05
redrobot	alee agreed	22:09
redrobot	jvrbanac I don't think we should hold up this BP based on difficulty/size of implementation.	22:09
jvrbanac	redrobot, that's not really my concern	22:09
redrobot	jvrbanac I'm not sure I understand your concern, then	22:10
*** nelsnelson has quit IRC		22:11
jvrbanac	redrobot, outside of someone hooking this up to a external frontend (which I'm really not a big fan of), I'm still trying to see why someone would use this over our documentation. If we support a CA plugin, that means we have to document what it supports.	22:12
alee	jvrbanac, a dogtag ca admin may decide to only support certain profiles. Others may choose to support different profiles or even custom ones, And this may change at any time.	22:18
alee	jvrbanac, this gives us a way to determine what a particular ca supports	22:19
alee	not just a particular type of ca, but a particular ca	22:19
alee	jvrbanac, moreover, are you saying that you're trying to document evverything that dogtag or symantec or digicert supports?	22:20
redrobot	I think that while this could all be documented, having the profiles defined in code could also help with validation.	22:23
alee	redrobot, jvrbanac need to head off soon. brain switching off ..	22:27
redrobot	alee yeah, I hear beer calling my name	22:28
redrobot	alee I added a bullet point to the mid-cycle etherpad for BP Freeze Exceptions... I'm sure we'll pick up this conversation again during that.	22:30
redrobot	also of interest to xek, I think ^^	22:30
alee	:/	22:30
jvrbanac	alee, redrobot so I get the dogtag use case as it can change; potentially frequently. However, considering I don't see Symantec and Digicert changing things all the time, it just makes me wonder. If we're putting this in for the dogtag use-case, but I'm just trying to look at this from a 10,000 ft level and as if I don't know anything about it	22:31
redrobot	I don't think Symantec would change their process often, but I do see agreement levels between 3rd party resellers (such as Rack) and CAs as potentially changing	22:32
alee	jvrbanac, either way this provides a mechanism for dealing with that change when it happens without having to rewrite a bunch of docs	22:33
redrobot	I do think the front end use case is a valid one. Without this API Horizon would be forced to create UIs for every single possible certificate type ahead of time...	22:35
*** SheenaG has joined #openstack-barbican		22:36
*** spotz is now known as spotz_zzz		22:38
*** Kevin_Bishop has quit IRC		22:42
*** alee is now known as alee_beer		22:44
*** superflyy has quit IRC		22:52
*** alee_beer is now known as alee_loopy_afk		22:55
*** SheenaG has quit IRC		22:56
*** pglass has quit IRC		23:01
*** tkelsey has joined #openstack-barbican		23:04
*** SheenaG has joined #openstack-barbican		23:11
*** tkelsey has quit IRC		23:11
*** redrobot_mobile has quit IRC		23:22
*** mixos has joined #openstack-barbican		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!