Thursday, 2015-11-05

*** jhfeng has joined #openstack-security		00:00
*** austin987 has quit IRC		00:00
*** ccneill has quit IRC		00:01
*** markvoelker has quit IRC		00:06
*** jhfeng has quit IRC		00:14
*** jian5397 has joined #openstack-security		00:21
*** dave-mccowan has joined #openstack-security		00:22
*** jerrygb has joined #openstack-security		00:31
*** jerrygb has quit IRC		00:32
*** markvoelker has joined #openstack-security		00:47
*** austin987 has joined #openstack-security		00:51
*** dave-mccowan has quit IRC		00:53
*** dave-mccowan has joined #openstack-security		00:59
*** y_sawai has joined #openstack-security		01:12
*** dave-mccowan has quit IRC		01:17
*** y_sawai has quit IRC		01:17
*** dave-mccowan has joined #openstack-security		02:07
*** jian5397 has quit IRC		02:11
*** tkelsey has joined #openstack-security		02:17
*** bpokorny_ has joined #openstack-security		02:21
*** tkelsey has quit IRC		02:22
*** bpokorny has quit IRC		02:25
*** bpokorny_ has quit IRC		02:26
*** dave-mcc_ has joined #openstack-security		02:55
*** dave-mccowan has quit IRC		02:56
*** dave-mccowan has joined #openstack-security		02:58
*** dave-mcc_ has quit IRC		03:01
*** jian5397 has joined #openstack-security		03:07
*** jian5397 has quit IRC		03:11
*** yuanying_ has joined #openstack-security		03:21
*** yuanying has quit IRC		03:21
*** yuanying_ has quit IRC		03:36
*** dave-mccowan has quit IRC		03:44
*** markvoelker has quit IRC		03:54
*** jhfeng has joined #openstack-security		03:59
*** yuanying has joined #openstack-security		04:08
*** tkelsey has joined #openstack-security		04:19
*** tkelsey has quit IRC		04:24
*** jhfeng has quit IRC		04:34
*** jhfeng has joined #openstack-security		04:36
*** jhfeng has quit IRC		04:37
*** jian5397 has joined #openstack-security		04:37
*** markvoelker has joined #openstack-security		04:55
*** markvoelker has quit IRC		05:00
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Add better names validator and deprecate older one https://review.openstack.org/241883	05:27
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Add better names validator and deprecate older one https://review.openstack.org/241883	05:29
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Enable branch coverage reporting https://review.openstack.org/241886	05:33
*** salv-orlando has quit IRC		05:46
*** salv-orlando has joined #openstack-security		05:46
openstackgerrit	Stanislaw Pitucha proposed openstack/bandit: Test for bug 1513091 https://review.openstack.org/241890	05:48
openstack	bug 1513091 in Bandit "Current command injection behavior isn't correct" [High,Fix committed] https://launchpad.net/bugs/1513091	05:48
*** salv-orl_ has joined #openstack-security		05:55
*** salv-orlando has quit IRC		05:57
*** jian5397 has quit IRC		06:46
*** markvoelker has joined #openstack-security		06:56
*** markvoelker has quit IRC		07:01
*** tmcpeak has joined #openstack-security		07:09
*** alex_klimov has joined #openstack-security		07:22
*** alex_klimov has quit IRC		07:31
*** alex_klimov has joined #openstack-security		07:31
*** y_sawai has joined #openstack-security		07:47
*** jamielennox is now known as jamielennox\|away		07:54
*** jamielennox\|away is now known as jamielennox		07:54
*** jamielennox is now known as jamielennox\|away		07:57
*** openstackgerrit has quit IRC		08:16
*** openstackgerrit has joined #openstack-security		08:16
*** tkelsey has joined #openstack-security		08:18
*** tkelsey has quit IRC		08:23
*** openstack has joined #openstack-security		08:35
*** markvoelker has joined #openstack-security		08:57
*** markvoelker has quit IRC		09:01
*** browne has quit IRC		09:09
*** shohel has joined #openstack-security		09:18
*** salv-orlando has joined #openstack-security		09:21
*** salv-orlando has quit IRC		09:22
*** salv-orl_ has quit IRC		09:24
*** salv-orlando has joined #openstack-security		09:57
*** markvoelker has joined #openstack-security		09:57
*** browne has joined #openstack-security		09:58
*** salv-orlando has quit IRC		10:00
*** jamielennox\|away is now known as jamielennox		10:01
*** markvoelker has quit IRC		10:02
*** salv-orlando has joined #openstack-security		10:02
*** browne has quit IRC		10:03
*** misc has quit IRC		10:06
*** misc has joined #openstack-security		10:08
*** salv-orlando has quit IRC		10:18
*** salv-orlando has joined #openstack-security		10:18
*** jerrygb has joined #openstack-security		10:58
*** markvoelker has joined #openstack-security		11:13
*** alex_klimov has quit IRC		11:16
*** markvoelker has quit IRC		11:18
*** y_sawai has quit IRC		11:32
*** alex_klimov has joined #openstack-security		11:45
*** jian5397 has joined #openstack-security		11:47
*** alex_klimov has quit IRC		11:51
*** alex_klimov has joined #openstack-security		11:51
*** jian5397 has quit IRC		11:52
*** alex_klimov has quit IRC		11:52
*** alex_klimov has joined #openstack-security		11:53
*** tmcpeak has quit IRC		11:53
*** jian5397 has joined #openstack-security		11:53
*** jian5397 has quit IRC		11:58
*** jian5397 has joined #openstack-security		12:02
*** jerrygb has quit IRC		12:10
*** dave-mccowan has joined #openstack-security		12:42
*** salv-orlando has quit IRC		12:42
*** tmcpeak has joined #openstack-security		12:49
*** subscope has joined #openstack-security		12:59
*** y_sawai has joined #openstack-security		13:02
*** jamielennox is now known as jamielennox\|away		13:08
*** jian5397 has quit IRC		13:08
*** jerrygb has joined #openstack-security		13:11
*** tjt263 has joined #openstack-security		13:12
*** tjt263 has left #openstack-security		13:13
*** markvoelker has joined #openstack-security		13:14
*** jerrygb has quit IRC		13:16
*** markvoelker_ has joined #openstack-security		13:18
*** markvoelker has quit IRC		13:18
*** jian5397 has joined #openstack-security		13:25
*** jian5397 has quit IRC		13:29
*** jian5397 has joined #openstack-security		13:30
*** edmondsw has joined #openstack-security		13:34
*** y_sawai has quit IRC		13:40
*** salv-orlando has joined #openstack-security		13:44
*** jian5397 has quit IRC		13:55
*** jian5397 has joined #openstack-security		13:56
*** Guest21180 has joined #openstack-security		13:57
*** Guest21180 has quit IRC		13:57
*** salv-orlando has quit IRC		13:59
*** salv-orlando has joined #openstack-security		13:59
*** y_sawai has joined #openstack-security		14:02
*** jerrygb has joined #openstack-security		14:04
openstackgerrit	Cyril Roelandt proposed openstack/bandit: Add a configuration generator for bandit https://review.openstack.org/242077	14:13
*** dave-mccowan has quit IRC		14:17
*** dave-mccowan has joined #openstack-security		14:36
*** _elmiko has quit IRC		14:44
*** _elmiko has joined #openstack-security		14:45
*** jhfeng has joined #openstack-security		15:14
*** blanki has joined #openstack-security		15:21
*** blanki has left #openstack-security		15:21
*** sigmavirus24_awa is now known as sigmavirus24		15:26
*** jian5397 has quit IRC		15:28
*** markvoelker has joined #openstack-security		15:30
*** markvoelker_ has quit IRC		15:31
*** salv-orlando has quit IRC		15:34
*** salv-orlando has joined #openstack-security		15:35
*** markvoelker_ has joined #openstack-security		15:35
*** markvoelker has quit IRC		15:37
*** salv-orl_ has joined #openstack-security		15:56
*** tkelsey has quit IRC		15:56
*** tkelsey has joined #openstack-security		15:56
*** salv-orlando has quit IRC		15:59
*** alex_klimov has quit IRC		16:09
*** salv-orl_ has quit IRC		16:10
*** tjt263 has joined #openstack-security		16:12
*** jerrygb has quit IRC		16:13
*** jerrygb has joined #openstack-security		16:15
*** ccneill has joined #openstack-security		16:17
*** austin987 has quit IRC		16:17
*** browne has joined #openstack-security		16:19
*** dave-mccowan has quit IRC		16:24
*** dave-mccowan has joined #openstack-security		16:28
*** hyakuhei has joined #openstack-security		16:29
*** jerrygb has quit IRC		16:31
*** jerrygb has joined #openstack-security		16:31
*** austin987 has joined #openstack-security		16:34
*** bpokorny has joined #openstack-security		16:39
*** timkennedy has joined #openstack-security		16:41
*** y_sawai has quit IRC		16:42
*** subscope has quit IRC		16:50
*** mihero_ has joined #openstack-security		16:53
*** Daviey_ has joined #openstack-security		16:54
*** dlitz has joined #openstack-security		16:55
*** misc_ has joined #openstack-security		16:56
*** barra204 has joined #openstack-security		16:58
*** dave-mccowan has quit IRC		16:59
*** Steap_ has joined #openstack-security		17:03
*** Steap_ is now known as Steap		17:03
Steap	tmcpeak: hey, I'm Cyril :)	17:04
tmcpeak	Steap: hey man, how's it going?	17:04
tmcpeak	so I like what you've done with the config generator	17:04
hyakuhei	meeting oclock	17:04
*** misc has quit IRC		17:04
*** Daviey has quit IRC		17:04
*** dlitz_ has quit IRC		17:04
*** mihero has quit IRC		17:04
*** shakamunyi has quit IRC		17:04
tmcpeak	damn, rly?	17:05
*** gmurphy has joined #openstack-security		17:05
tmcpeak	it changed with daylight savings I guess?	17:05
hyakuhei	yarp	17:05
hyakuhei	Well no, it didnt change	17:05
*** agireud has quit IRC		17:05
hyakuhei	it’s 1700 UTC	17:05
tmcpeak	ahh	17:05
tmcpeak	good point	17:05
tmcpeak	it changed last week or so and I didn't notice bc we didn't do a meeting	17:06
*** agireud has joined #openstack-security		17:07
* Steap came precisely at the wrong time		17:07
tmcpeak	Steap: can I grab you after OSSG meeting?	17:08
Steap	tmcpeak: in an hour ?	17:08
tmcpeak	yeah	17:09
tmcpeak	what timezone are you in?	17:09
Steap	ok, works for me	17:09
tmcpeak	ok cool, talk to you then	17:09
tmcpeak	thanks	17:09
Steap	tmcpeak: Paris	17:09
tmcpeak	ahh cool, same as me	17:09
Steap	hehe	17:09
tmcpeak	if it's late for you we can catch up tomorrow	17:09
Steap	nah, no problem, I'll be available for like ~45 minutes	17:10
Steap	should be enough :)	17:10
tmcpeak	awesome, sounds good	17:11
*** austin987 has quit IRC		17:34
*** subscope has joined #openstack-security		17:34
*** timkennedy has quit IRC		17:35
*** timkennedy has joined #openstack-security		17:41
*** subscope has quit IRC		17:47
*** austin987 has joined #openstack-security		17:49
tmcpeak	Steap: hey, stillaround?	17:59
*** shohel has quit IRC		17:59
Steap	tmcpeak: yeah	17:59
tmcpeak	cool, so I guess my preference is to generate configs with 'All' intact, at least for reference purposes	18:00
Steap	so maybe add the disabled checkers to "exclude" ?	18:00
tmcpeak	yeah, does exclude still work?	18:00
*** timkennedy has quit IRC		18:00
* tmcpeak doesn't remember		18:01
tmcpeak	if it does I think that's the best solution	18:01
*** dg_ has joined #openstack-security		18:01
Steap	tmcpeak: I think so	18:01
tmcpeak	ahh cool	18:01
Steap	well, technically, a checker not in "include" is excluded	18:01
tmcpeak	yeah that would be great then	18:01
tkelsey	Steap: +1	18:01
*** timkennedy has joined #openstack-security		18:01
tmcpeak	true	18:01
Steap	but well, ok	18:01
Steap	I'd keep deleting the associated checker config, though	18:02
Steap	any thoughts on that ?	18:02
tmcpeak	deleting the checker config?	18:02
tmcpeak	sorry I'm not following	18:02
dg_	redrobot you wanted to talk killick?	18:03
*** dave-mccowan has joined #openstack-security		18:03
tmcpeak	Steap: at any rate, it's just a suggestion. You're writing the tool to be useful to you and others	18:04
tmcpeak	I'm good with any of these	18:04
tmcpeak	the tool looks good	18:04
tmcpeak	I'm happy to +2 it as is	18:04
Steap	tmcpeak: I'm talking about specific configuration	18:04
tmcpeak	I'd just prefer to leave some place with the entire list of tests	18:04
Steap	like the one for blacklist_calls, which lists blacklisted calls	18:04
*** browne has quit IRC		18:05
Steap	if a user wants to disable the blacklist_calls checker, keeping the configuration is kind of weird	18:05
tmcpeak	oh right	18:05
tmcpeak	yeah that makes sense	18:05
Steap	I'm also wondering how exactly other projects will use that	18:05
Steap	not ure whether they'll use bandit.yaml, bandit-conf-genrator.yaml, or both	18:06
tmcpeak	this seems like a reasonable first revision though	18:06
tmcpeak	we can always enhance as needed in the future	18:06
*** salv-orlando has joined #openstack-security		18:15
ccneill	hey all, no meeting today?	18:18
ccneill	or do I have my times messed up	18:19
tmcpeak	ccneill: yeah, time messed	18:22
tmcpeak	lots of us did it but luckily hyakuhei dropped by and rounded a few of us up	18:22
ccneill	did I already miss it? :X	18:22
tmcpeak	yeah man :)	18:23
ccneill	aw, alright	18:23
ccneill	I'll update my calendar	18:23
tmcpeak	sweet, catch you next week	18:23
ccneill	yep yep	18:23
Steap	tmcpeak: I'll update the patch tomorrow, gotta go right now	18:24
tmcpeak	Steap: cool, sounds good	18:25
*** salv-orlando has quit IRC		18:35
*** tkelsey has quit IRC		18:42
*** dave-mccowan has quit IRC		18:44
redrobot	dg_ just got back from lunch... hyakuhei put me up to it. :)	18:46
dg_	haha	18:46
redrobot	dg_ I did leave some comments on the spec.	18:48
redrobot	dg_ My prefences in order would be:	18:49
redrobot	dg_ 1. Collaborate on Barbican instead of starting a new project. We could add an optional RA API to Barbican to support the admin side of Killick	18:49
redrobot	dg_ 2. Develop Killick with the ACME API only (ie no new Cert ordering API)	18:50
*** browne has joined #openstack-security		18:50
redrobot	dg_ 3. Develop Killick using a subset of the existing Barbican API	18:50
redrobot	dg_ my main concern is in adding a new cert ordering API to OpenStack... especially because most of the user-facing use cases are already covered by the Barbican API	18:51
dg_	ok, so 1. isnt really an option due to resourcing	18:53
*** dave-mccowan has joined #openstack-security		18:53
dg_	2. we plan to support ACME later, currently Killick just uses the anchor API	18:53
dg_	having run a pki for 4 years, the most common use case for a traditional pki is to curl a CRL to a CA	18:54
dg_	i.e. the anchor API	18:54
dg_	I see no reason why killick couldnt plug into barbican as a CA plugin	18:55
dg_	however, afaik barbican has none of the issue/deny/revoke functionality built into the API? so a certificate administrator would still need to touch the killick gui?	18:55
redrobot	dg_ currently they're not available, but the specs have been in review for a while now	18:56
redrobot	dg_ also it would be nice to have only one gui, instead of having both barbican and killick in horizon	18:56
dg_	yeah totally agree	18:57
redrobot	dg_ the killick spec doesn't go into details about the API so I was speculating on it having a brand new API	18:57
dg_	so we are pegging it for the simplest case - someone needs a ca for an interface	18:57
*** jerrygb has quit IRC		18:57
dg_	s/ca/certificate	18:57
*** jerrygb has joined #openstack-security		18:58
dg_	in that case, most people dont want a complex api, they litterally want to do curl a crl at a rest api	18:59
dg_	thats what we have for anchor, hence using it for killick, but for futureproofing and compatibility I really want to support ACME as it seems like a big step forwards	18:59
jkf	fg	18:59
jkf	sorry, wrong window	19:00
redrobot	dg_ but you'll need more than jus that API right? For revokation and all that other cert management goodness. It would be awesome if we could sync up Barbican and Killick so that those APIs are consistent across both projects	19:02
redrobot	dg_ then you could drop in either one... and clients would work on clouds that have either, or both.	19:02
dg_	so i assumed you were talking about the user api	19:03
*** jerrygb has quit IRC		19:03
dg_	you are correct, the administrator api is more complicated	19:03
*** ccneill has quit IRC		19:03
redrobot	dg_ well, a user has to be able to request revocation of his cert, I think	19:03
dg_	in most infrastructure deployments that is managed by a ticketing system	19:04
redrobot	dg_ so you wouldn't have a horizon gui to request revocation?	19:05
dg_	we hadnt considered a need for that, although potentially	19:05
dg_	currently with killick, you just do something like: curl -X POST http://0.0.0.0:5000/v1/list/pending	19:06
dg_	and it returns a list of pending certificates	19:06
dg_	or curl -X POST http://0.0.0.0:5000/v1/status/<request_id>	19:06
dg_	which returns the validation result for the certificate, if it has been issued, etc	19:07
dg_	(authn/z is a nightmare which I havent had time to think about properly	19:07
hyakuhei	AuthN you can probably take from Anchor, Z is harder	19:08
dg_	yeah, lets leave that out of scope for the moment and sit down with a coffee and a whiteboard at some point	19:08
hyakuhei	+1	19:09
hyakuhei	So revocation gets messy, there are some nice ways to do it without AuthN, or rather using the private key as the AuthN	19:09
hyakuhei	Is the Barbican API written up nicely anywhere? Honestly I’ve not looked at it	19:09
*** ccneill has joined #openstack-security		19:10
redrobot	hyakuhei http://docs.openstack.org/developer/barbican/api/userguide/certificates.html	19:10
hyakuhei	cheers	19:12
dg_	how about the issue/deny/revoke certificate administration api?	19:12
redrobot	dg_ we're really just user-focused at this time, so we don't have an admin api	19:13
redrobot	dg_ the assumption now is that your CA will do the work, or if it's internal you'd go directly to DogTag or whatever	19:14
redrobot	Revoke https://review.openstack.org/#/c/157989/	19:15
redrobot	Cancel (for pending certs) https://review.openstack.org/#/c/157887/	19:15
redrobot	Renew https://review.openstack.org/#/c/159969/	19:15
dg_	ok, so that sounds a lot like you have two gui's, one for barbican and one for your CA...	19:15
redrobot	dg_ well, for a public CA you don't need a 2nd gui	19:17
*** salv-orlando has joined #openstack-security		19:17
*** jian5397 has joined #openstack-security		19:18
dg_	so my assumption was that if I wanted a certificate from a public ca, I would just submit a CSR to verisign/whoever	19:18
dg_	rather than doing that via barbican	19:19
redrobot	dg_ public CAs cert issuance is one of the reasons Rackspace started Barbican	19:20
redrobot	dg_ we've been working with Symantec and they're ramping up to start contributing to the project	19:20
dg_	interesting, whats the use-case?	19:20
*** jian5397 has quit IRC		19:22
redrobot	dg_ Rackspace resells Symantec certs. Our customers order them from us, and we use Symantec's API to provision them.	19:23
redrobot	dg_ currently it requires a lot of manual work	19:23
dg_	cool! this is on your public cloud?	19:24
redrobot	dg_ not yet... the Symantec backend still needs some work.	19:24
dg_	but in theory, its something like this:	19:24
dg_	so as $customer, I decide that I want dougserver.rackspacecloud.net, put in a request using barbican/horizon, that forwards the request to symantec, issues the cert and bills me?	19:25
redrobot	dg_ yup, and when your cert is issued it's stored within Barbican, so it's nice and safe	19:26
redrobot	dg_ Digicert was also interested a while back, but their developer went MIA	19:26
dg_	ok thats pretty cool	19:27
dg_	the thing I love about pki is that the more people you talk to, the more completly new usecases you come across	19:27
*** tmcpeak has quit IRC		19:28
dg_	which bits of that usecase currently work?	19:33
redrobot	dg_ when using a DogTag backend pretty much everything works... Symantec integration was almost there, but then they turned off the API we were using, so they're developing a new backend for their new API.	19:35
redrobot	dg_ one problem I see now, that I was talking to hyakuhei about in Tokyo, is that we have a feature that only works in DogTag	19:36
redrobot	dg_ namely that you can provision a new CA root owned by your project and issue certs off of that.	19:36
dg_	yeah thats a cool feature	19:36
redrobot	dg_ I would like for barbican to have a non-dogtag option	19:37
dg_	likewise	19:37
dg_	I think barbican is a great product, and have had a lot of good discussion with Ade about Dogtag, but it isnt the right CA for us	19:38
chair6	integration with https://letsencrypt.org/ would be a nice alternative to symantec :)	19:38
dg_	+1	19:38
redrobot	dg_ yeah, so to support a non-dogtag option, barbican is going to start behaving more like a CA... which is why I would not be opposed to adding an RA API	19:39
*** salv-orlando has quit IRC		19:39
redrobot	dg_ we also talked about possibly using anchor and spinning up new anchor instances every time a new CA root is needed.	19:40
dg_	the issue there is that anchor totally lacks revocation functionality, which you really should have, if you are not using short-term certs	19:40
redrobot	dg_ yup... which is why I think Barbican is kinda headed the same way Killick is	19:41
hyakuhei	… if revocation worked….	19:41
hyakuhei	which it doesn't	19:41
hyakuhei	so if everyone could just use anchor …. that’d be great :P	19:42
dg_	hyakuhei shhhhh	19:42
dg_	you'll be saying santa doesnt exist next	19:42
redrobot	chair6 agreed! But there's some work in Barbican that would be needed... here are my thoughts on what it would take to add Let's Encrypt (or any other ACME CA) to Barbican http://lists.openstack.org/pipermail/openstack-dev/2015-September/075630.html	19:43
hyakuhei	chair6: redrobot yeah we discussed ACME for a few things	19:43
dg_	so maybe making killick acme compliant and making barbican acme compliant is the way to go? getting two birds with one stone	19:44
hyakuhei	Running an internal instance of letsencrypt might be smart too	19:44
redrobot	dg_ +1 ... with the caveats I mentioned on the ML link :)	19:44
redrobot	hyakuhei yup, I was thinking about that for our internal CA	19:45
redrobot	hyakuhei currently the internal CA process is: email the team that owns the CA >_>	19:45
chair6	https://github.com/letsencrypt/boulder does look interesting, could be an alternative to building another x CAs..	19:46
dg_	+1	19:46
redrobot	chair6 I mentioned that in the Killick spec :)	19:46
hyakuhei	ACME fits super nicely with DNSaaS	19:47
*** jian5397 has joined #openstack-security		19:53
*** jerrygb has joined #openstack-security		19:53
*** alex_klimov has joined #openstack-security		19:53
*** ccneill_ has joined #openstack-security		19:57
*** ccneill has quit IRC		19:57
*** ccneill__ has joined #openstack-security		19:58
*** ccneill__ has quit IRC		19:58
dg_	redrobot so how far has the barbican RA work progressed?	19:58
*** salv-orlando has joined #openstack-security		20:00
*** dave-mccowan has quit IRC		20:00
*** ccneill_ has quit IRC		20:01
*** alejandrito has joined #openstack-security		20:02
*** salv-orlando has quit IRC		20:05
*** salv-orlando has joined #openstack-security		20:06
*** tkelsey has joined #openstack-security		20:13
*** dave-mccowan has joined #openstack-security		20:14
hyakuhei	I still think having an RA inside Barbican CMS is a _bad_ idea	20:15
dg_	so theres a few things I like about using killick over something like boulder - we get the marjority of the functionality for free from anchor, we get the validation functionality from anchor (which will massively improve the UX for the certificate administrator), its super lightweight, and we own it	20:17
*** tkelsey has quit IRC		20:17
dg_	currently killick is about 400loc, the only missing functionality is the auth and the revocation	20:17
*** dave-mccowan has quit IRC		20:18
dg_	plus we get to use future anchor functionality, like hsm integration, for free	20:18
hyakuhei	There’s something to be said for a pure-python CA too	20:18
*** dave-mccowan has joined #openstack-security		20:19
dg_	the disadvantage is that we will need to add crl signing to anchor, which makes me :(	20:20
hyakuhei	So there is probably a way to do that	20:24
dg_	it should be a fairly minor addition, i just havent had a couple of days to do it	20:25
hyakuhei	So the problem is doing it without breaking the statefulness	20:27
dg_	statelessness?	20:27
hyakuhei	^^^^ yup	20:27
*** jhfeng has quit IRC		20:27
dg_	so i dont think i care	20:27
hyakuhei	I do, I want silo’s to continue to work, for things like the ansible case	20:28
hyakuhei	lets chat about it tomoz	20:28
dg_	but anchor will not use the revocation functionality, so will continue to be stateless	20:28
dg_	killick is not stateless by its nature	20:28
dg_	totally agree that the ability to silo anchor is far more important than making another ca, no matter how cool killick is	20:29
*** jhfeng has joined #openstack-security		20:29
redrobot	sorry, there was a fire drill at work... back now	20:36
dg_	np	20:36
dg_	hyakuhei and me are more or less done for the day	20:36
redrobot	dg_ no RA in Barbican. We've been pushing that off to the CA. The only thing that might change that is adding support for the per-project-CAs in a non-dogtag fashion...	20:37
*** jhfeng has quit IRC		20:42
*** dg_ has quit IRC		20:53
*** jian5397 has quit IRC		20:58
*** jian5397 has joined #openstack-security		21:03
*** hyakuhei has quit IRC		21:05
*** hyakuhei has joined #openstack-security		21:10
*** jhfeng has joined #openstack-security		21:20
*** hyakuhei has quit IRC		21:23
*** mihero_ has quit IRC		21:30
*** jian5397 has quit IRC		21:43
*** mihero has joined #openstack-security		21:51
*** edmondsw has quit IRC		21:52
*** salv-orlando has quit IRC		22:06
*** salv-orlando has joined #openstack-security		22:06
*** ccneill has joined #openstack-security		22:24
*** alex_klimov has quit IRC		22:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/242247	22:37
*** alejandrito has quit IRC		22:41
*** bpokorny_ has joined #openstack-security		22:44
openstackgerrit	Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/242247	22:48
*** bpokorny has quit IRC		22:48
*** jamielennox\|away is now known as jamielennox		22:59
*** jerrygb has quit IRC		23:08
*** sigmavirus24 is now known as sigmavirus24_awa		23:22
*** bpokorny_ has quit IRC		23:29
*** bpokorny has joined #openstack-security		23:30
*** jerrygb has joined #openstack-security		23:33
*** salv-orlando has quit IRC		23:37
*** jhfeng has quit IRC		23:42
*** jerrygb_ has joined #openstack-security		23:49
*** jerrygb has quit IRC		23:50
*** austin987 has quit IRC		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!