<p dir="ltr">I'm certainly more interested in the push model, if only to create parity with azure, AWS and Google. </p>
<p dir="ltr">I suggest we start the BYOK discussions on Wednesday focusing on push. If there's an interest in shifting discussion to the pull model in the Thursday session then I have no objection to that, let the room decide?</p>
<p dir="ltr">Rob</p>
<div class="gmail_quote">On 22 Apr 2016 5:08 p.m., "Fox, Kevin M" <<a href="mailto:Kevin.Fox@pnnl.gov">Kevin.Fox@pnnl.gov</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Oh, I think I understand. something like:<br>
<br>
You set up your private cloud with a public region ala K2K federation. The other Cloud then shows up as another region in your cloud.<br>
<br>
This would then allow your barbican in one region to be accessible to vm's launched in the public region?<br>
<br>
Kind of a cross region barbican use case?<br>
<br>
Thanks,<br>
Kevin<br>
<br>
________________________________________<br>
From: Douglas Mendizábal [<a href="mailto:douglas.mendizabal@rackspace.com">douglas.mendizabal@rackspace.com</a>]<br>
Sent: Friday, April 22, 2016 2:46 PM<br>
To: <a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
Subject: Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions<br>
<div class="elided-text"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
No conflicts with your cross-project session as far as I can tell.<br>
<br>
In a nutshell BYOK-Push is a model where the customer retains full<br>
control of their cryptographic keys. The customer is expected to<br>
provide the necessary keys each and every time a request is made that<br>
requires some cryptographic operation. Amazon S3's SSE-C encryption<br>
[1] would be a good example of this model.<br>
<br>
In a BYOK-Pull model, the customer would grant access to their cloud<br>
provider for some key management system inside their private<br>
infrastructure. For example this model could be used in a hybrid<br>
cloud where the customer has an on-premise barbican that can provide<br>
keys on-demand to the public cloud provider.<br>
<br>
+1 to not spending a lot of time talking about a model that no one is<br>
interested in implementing. My impression at the last joint<br>
Barbican/OSSP mid-cycle was that most people were interested in the<br>
push model.<br>
<br>
[1]<br>
<a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCusto
merKeys.html" rel="noreferrer" target="_blank">http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCusto<br>
merKeys.html</a><br>
<br>
On 4/22/16 4:03 PM, Fox, Kevin M wrote:<br>
> Can you please give a little more detail on what its about?<br>
><br>
> Does this have any overlap with the instance user session:<br>
> <a href="https://www.openstack.org/summit/austin-2016/summit-schedule/events/94" rel="noreferrer" target="_blank">https://www.openstack.org/summit/austin-2016/summit-schedule/events/94</a><br>
85<br>
><br>
> Thanks, Kevin<br>
><br>
> ----------------------------------------------------------------------<br>
- --<br>
><br>
><br>
*From:* Rob C [<a href="mailto:hyakuhei@gmail.com">hyakuhei@gmail.com</a>]<br>
> *Sent:* Friday, April 22, 2016 1:44 PM *To:* OpenStack Development<br>
> Mailing List (not for usage questions) *Subject:* Re:<br>
> [openstack-dev] [Security][Barbican][all] Bring your own key<br>
> fishbowl sessions<br>
><br>
> So that's one vote for option A and one vote for another vote :)<br>
><br>
> On 22 Apr 2016 4:25 p.m., "Nathan Reller"<br>
> <<a href="mailto:nathan.s.reller@gmail.com">nathan.s.reller@gmail.com</a> <mailto:<a href="mailto:nathan.s.reller@gmail.com">nathan.s.reller@gmail.com</a>>><br>
> wrote:<br>
><br>
>> Thoughts?<br>
><br>
> Is anyone interested in the pull model or actually implementing it?<br>
> I say if the answer to that is no then only discuss the push<br>
> model.<br>
><br>
> Note that I am having a talk on BYOK on Tuesday at 11:15. My talk<br>
> will go over provider key management, the push model, and the pull<br>
> model. There are some aspects of design in it that will likely<br>
> interest people. You might want to take the poll after session<br>
> because I'm not sure how many people know what the differences<br>
> are.<br>
><br>
> -Nate<br>
><br>
> ______________________________________________________________________<br>
____<br>
><br>
><br>
OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe:<br>
> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br>
><br>
><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
> ______________________________________________________________________<br>
____<br>
><br>
><br>
OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe:<br>
> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQIcBAEBCgAGBQJXGpu3AAoJEB7Z2EQgmLX7eaAQAKArxp+Pw6jl+4Xz5t9zrOZb<br>
ENSOq049jOrymUolD/VyiicT2llG08LxHlLjfnVthJ7j5+unB6XQLRKLIDAGUCrM<br>
IyTw9SRSjElvQVN6mct/NnePlhipjWf6inqCxpRKE0Bbv2jgOHiYOqZ04yQAxZ/1<br>
aWevqSc2piJhlZmOjTlYbls0O0oTPGw0zkyS0Damja5OIiu45niSQvrnwlbfVTJg<br>
R9ORk0FSNrpvgOBIAFCqLYXhmvrhHkV0+M6aQ4NHy9m05ywe7jq4J2qhcUqY3kqp<br>
b/qNCKlJ25mSlnCcVLYR8iDkLxfLwa7dToCViacnLg2dd7T1l0OhLgbBY1ENHIuw<br>
jvwE3vVz4HPHhk8ArybWvaOepP+cPdPB4fcX5DkatEfI2raCr18yebZ+AfI7/e/v<br>
WtlwLUcG/GxOIQe/PpTF6Y5cRimV62u/Fk3FXZYJnFt2dk+zw9OTzrasZg/RrTVT<br>
UEaMPZXt8AfAVEUNRh2KA1NgFhyvuLIkexSPmmuJ5dxgJ2JmB2OoLF+pNNT5xH4L<br>
bTYuIGt39nuLT8wv9vyovoMuDG6mP8JF0b4LW/2XEfBTPq9LfDlEtmZUqlDhYG2I<br>
FlqP1iN0O1B0X9hG6+fnD+aEga8nx060wNxsioUD2bNmJ6lqYeq8Jj0hIdsjYTAU<br>
xwrWP8UdUfC7GU9oun1Y<br>
=PeQa<br>
-----END PGP SIGNATURE-----<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></blockquote></div>