I'm certainly more interested in the push model, if only to create parity with azure, AWS and Google.
I suggest we start the BYOK discussions on Wednesday focusing on push. If there's an interest in shifting discussion to the pull model in the Thursday session then I have no objection to that, let the room decide? Rob On 22 Apr 2016 5:08 p.m., "Fox, Kevin M" <kevin....@pnnl.gov> wrote: Oh, I think I understand. something like: You set up your private cloud with a public region ala K2K federation. The other Cloud then shows up as another region in your cloud. This would then allow your barbican in one region to be accessible to vm's launched in the public region? Kind of a cross region barbican use case? Thanks, Kevin ________________________________________ From: Douglas Mendizábal [douglas.mendiza...@rackspace.com] Sent: Friday, April 22, 2016 2:46 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 No conflicts with your cross-project session as far as I can tell. In a nutshell BYOK-Push is a model where the customer retains full control of their cryptographic keys. The customer is expected to provide the necessary keys each and every time a request is made that requires some cryptographic operation. Amazon S3's SSE-C encryption [1] would be a good example of this model. In a BYOK-Pull model, the customer would grant access to their cloud provider for some key management system inside their private infrastructure. For example this model could be used in a hybrid cloud where the customer has an on-premise barbican that can provide keys on-demand to the public cloud provider. +1 to not spending a lot of time talking about a model that no one is interested in implementing. My impression at the last joint Barbican/OSSP mid-cycle was that most people were interested in the push model. [1] http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCusto merKeys.html On 4/22/16 4:03 PM, Fox, Kevin M wrote: > Can you please give a little more detail on what its about? > > Does this have any overlap with the instance user session: > https://www.openstack.org/summit/austin-2016/summit-schedule/events/94 85 > > Thanks, Kevin > > ---------------------------------------------------------------------- - -- > > *From:* Rob C [hyaku...@gmail.com] > *Sent:* Friday, April 22, 2016 1:44 PM *To:* OpenStack Development > Mailing List (not for usage questions) *Subject:* Re: > [openstack-dev] [Security][Barbican][all] Bring your own key > fishbowl sessions > > So that's one vote for option A and one vote for another vote :) > > On 22 Apr 2016 4:25 p.m., "Nathan Reller" > <nathan.s.rel...@gmail.com <mailto:nathan.s.rel...@gmail.com>> > wrote: > >> Thoughts? > > Is anyone interested in the pull model or actually implementing it? > I say if the answer to that is no then only discuss the push > model. > > Note that I am having a talk on BYOK on Tuesday at 11:15. My talk > will go over provider key management, the push model, and the pull > model. There are some aspects of design in it that will likely > interest people. You might want to take the poll after session > because I'm not sure how many people know what the differences > are. > > -Nate > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXGpu3AAoJEB7Z2EQgmLX7eaAQAKArxp+Pw6jl+4Xz5t9zrOZb ENSOq049jOrymUolD/VyiicT2llG08LxHlLjfnVthJ7j5+unB6XQLRKLIDAGUCrM IyTw9SRSjElvQVN6mct/NnePlhipjWf6inqCxpRKE0Bbv2jgOHiYOqZ04yQAxZ/1 aWevqSc2piJhlZmOjTlYbls0O0oTPGw0zkyS0Damja5OIiu45niSQvrnwlbfVTJg R9ORk0FSNrpvgOBIAFCqLYXhmvrhHkV0+M6aQ4NHy9m05ywe7jq4J2qhcUqY3kqp b/qNCKlJ25mSlnCcVLYR8iDkLxfLwa7dToCViacnLg2dd7T1l0OhLgbBY1ENHIuw jvwE3vVz4HPHhk8ArybWvaOepP+cPdPB4fcX5DkatEfI2raCr18yebZ+AfI7/e/v WtlwLUcG/GxOIQe/PpTF6Y5cRimV62u/Fk3FXZYJnFt2dk+zw9OTzrasZg/RrTVT UEaMPZXt8AfAVEUNRh2KA1NgFhyvuLIkexSPmmuJ5dxgJ2JmB2OoLF+pNNT5xH4L bTYuIGt39nuLT8wv9vyovoMuDG6mP8JF0b4LW/2XEfBTPq9LfDlEtmZUqlDhYG2I FlqP1iN0O1B0X9hG6+fnD+aEga8nx060wNxsioUD2bNmJ6lqYeq8Jj0hIdsjYTAU xwrWP8UdUfC7GU9oun1Y =PeQa -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev