<div dir="ltr">Hi all, <div><br></div><div> I am carefully asking you guys if it is possible to bring the meeting <font face="arial, sans-serif"> ##openstack-threat-analysis forward to 15.00 UTC, or more earlier? Because I am in UTC+8 timezone, always can't attend the OSSG meeting before due to sleepy, but I don't want to miss this meeting although I am not very familiar with the current topic, I want to contribute more here.</font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"> But if you are inconvenient to reschedule the time, I can understand and will keep follow the info from email and community.</font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"> Thanks for your understanding : ) </font></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 7, 2014 at 11:55 PM, Abu Shohel Ahmed <span dir="ltr"><<a href="mailto:ahmed.shohel@ericsson.com" target="_blank">ahmed.shohel@ericsson.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Hi all,</div><div><br></div><div>Yesterday’s OSSG meeting, i promised to give the current status of the activity. </div>
<div>The activity is ongoing. Based on feed back from last IRC call, we have updated the </div><div> Threat Modelling framework. </div><div><br></div><div>The wiki page is updated now..</div><div><a href="https://wiki.openstack.org/wiki/Security/Threat_Analysis" target="_blank">https://wiki.openstack.org/wiki/Security/Threat_Analysis</a></div>
<div><br></div><div>We are almost finishing the analysis for Auth_token middleware, Token manager and token service.</div><div>We looking for reviewer of those documents. There is a meeting </div><div>today at 17.00 GMT in ##openstack-threat-analysis (unofficial channel)</div>
<div><br></div><div><br></div><div>Thanks,</div><div>Shohel</div><div><br></div><div><br></div><div><br></div><div><br></div><div>We are going to have a OpenStack Threat m</div><div><br><br><blockquote type="cite"><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px">
<span style="font-family:'Helvetica';color:rgba(0,0,0,1.0)"><b>From: </b></span><span style="font-family:'Helvetica'">Abu Shohel Ahmed <<a href="mailto:ahmed.shohel@ericsson.com" target="_blank">ahmed.shohel@ericsson.com</a>><br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:'Helvetica';color:rgba(0,0,0,1.0)"><b>Subject: </b></span><span style="font-family:'Helvetica'"><b>Re: [Openstack-security] OpenStack Threat Analysis activity - OSSG</b><br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:'Helvetica';color:rgba(0,0,0,1.0)"><b>Date: </b></span><span style="font-family:'Helvetica'">21 Feb 2014 13:15:08 GMT+2<br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:'Helvetica';color:rgba(0,0,0,1.0)"><b>To: </b></span><span style="font-family:'Helvetica'">"<a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a>" <<a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a>><br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:'Helvetica';color:rgba(0,0,0,1.0)"><b>Cc: </b></span><span style="font-family:'Helvetica'">Sriram Subramanian <<a href="mailto:sriram@sriramhere.com" target="_blank">sriram@sriramhere.com</a>>, "Clark, Robert Graham" <<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>><br>
</span></div><div><div class="h5"><br><div><div style="word-wrap:break-word"><div>Hi guys,</div><div><br></div><div>Sorry for not including the whole OSSG in the initial call. So, we are having an initial call </div><div>
for Threat modelling of OpenStack (first one is Keystone) today, 21 Feb, 17.00 UTC. Let’s</div><div>have the discussion today then decide what time suits us best for later meetings. It is in Free node </div><div>channel ##openstack-threat-analysis (unofficial channel). </div>
<div><br></div><div>Today’s topics of discussion:</div><div> 1. Threat modelling process </div><div> <a href="https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing</a></div>
<div> </div><div> First, we t need to agree on this, so we have conformity around the whole work. Please feel </div><div> free to provide your feedback.</div><div><br></div><div> 2. Some concrete example use of the modelling process </div>
<div> Keystone over all : <a href="https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing</a></div>
<div> Keystone Token-provider: <a href="https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing</a></div>
<div> </div><div> (Now this documents are work in progress work, things are not always in order and complete)</div><div><br></div><div><br></div><div>See you in the meeting,</div><div>Shohel</div><div><br></div>
<div><br></div><div><br></div>
<br><div><div>On 20 Feb 2014, at 20:47, Sriram Subramanian <<a href="mailto:sriram@sriramhere.com" target="_blank">sriram@sriramhere.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">Damn - i missed the meeting again :(. I will check the logs to catch up. Sorry</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 20, 2014 at 10:26 AM, Clark, Robert Graham <span dir="ltr"><<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Including the whole security group as there was significant interest during the OSSG weekly meeting.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Sriram Subramanian [mailto:<a href="mailto:sriram@sriramhere.com" target="_blank">sriram@sriramhere.com</a>] <br>
<b>Sent:</b> 20 February 2014 16:35<br><b>To:</b> Abu Shohel Ahmed<br><b>Cc:</b> Clark, Robert Graham; Grant Murphy; Mats Näslund; Makan Pourzandi<br><b>Subject:</b> Re: OpenStack Threat Analysis activity - OSSG<u></u><u></u></span></p>
</div></div><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Shohel,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Friday 17.00 UTC works - though 18.00 UTC would work better for me. Are we meeting tomorrow?<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">thanks,<u></u><u></u></p></div><div><p class="MsoNormal">-Sriram<u></u><u></u></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">
<u></u> <u></u></p><div><p class="MsoNormal">On Wed, Feb 19, 2014 at 4:25 AM, Abu Shohel Ahmed <<a href="mailto:ahmed.shohel@ericsson.com" target="_blank">ahmed.shohel@ericsson.com</a>> wrote:<u></u><u></u></p><blockquote style="border-style:none none none solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi,<br><br>From our last week’s, it becomes clear that we need set up a way of working process in place<br>to take this activity forward.<br><br>So here are some ideas (Please also share yours):<br>
<br>1. WoW:<br><br> In the short time frame,<br><br> - First, We should define the purpose and the concrete output of this work ( which i think, most of us here has some ideas, if we still have question -<br>
we can clear that up before moving forward).<br><br> - Second issue is, how we can do threat analysis contribution in an effective manner. Here comes the collaboration issues within<br> this group. For this, I have created a free node IRC channel ##openstack-threat-analysis ( unofficial channel, as you can see from name).<br>
Lets start biweekly (15 days) meetings from this week. Lets vote for what is the suitable time for meeting for all of us.<br> I propose Friday at 17.00 UTC. However, i am happy to schedule the meeting based on most people preference.<br>
<br> In the longer time frame, we should think about setting up a Threat analysis working group (could be under OSSG) to perform threat modelling of all OpenStack components<br> - Define a clear out from this working group e.g., Threat documentation, Design guidance.<br>
- Engage developers and security minded people to the work.<br><br><br>2. Now on the technical side,<br><br> First and foremost, we should agree on a threat modelling process that can be applied for all OpenStack services and internal components. We have some ideas that<br>
can be applied for this work… Here is the link of our proposal :<br><br> <a href="https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnoMmpPZ3hmUHpBa1k/edit?usp=sharing</a><br>
<br> and here are two concrete implementation of applying the threat modelling process…<br><br> Keystone over all : <a href="https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnobzB6M21uMEFXNUE/edit?usp=sharing</a><br>
Keystone Token-provider: <a href="https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing" target="_blank">https://drive.google.com/file/d/0B1aEVfmQtqnoejN1T1kybjlnMkk/edit?usp=sharing</a><br>
<br> (These are work in progress documents, so by no means provide a complete picture)<br><br> Lets discuss what do you guys think about the Modelling steps and its applicability with OpenStack (e.g., Keystone)<br>
<br><br><br>Thanks,<br>Shohel<br><br><u></u><u></u></p></blockquote></div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <u></u><u></u></p>
<div><p class="MsoNormal">Thanks,<u></u><u></u></p></div><div><p class="MsoNormal">-Sriram<u></u><u></u></p></div></div></div></div></div></div><br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Thanks,</div><div>-Sriram</div>
</div>
_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</blockquote></div><br></div></div></div></div></blockquote></div><br></div><br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br></div></div>