/srv/irclogs.ubuntu.com/2012/10/18/#juju-dev.txt

davecheneyniemeyer: got a better fix for signing bug00:58
davecheneywill propose in a few minutes00:58
davecheneyniemeyer: did you fix lbox so it doesn't mess up the milestone of a bug ?01:06
davecheneyif so, thank you :)01:06
niemeyerdavecheney: Yo01:08
niemeyerdavecheney: Morning01:08
niemeyerdavecheney: I didn't yet, sorry01:08
davecheneyniemeyer: weird, i wonder why lbox propose didn't screw up the milestone on https://bugs.launchpad.net/juju-core/+bug/106194101:19
davecheneymaybe because it's a different project01:20
niemeyerdavecheney: Perhaps the milestone picking logic is actually right01:48
niemeyerdavecheney: What I did was to deactivate 1.3 a while ago01:48
davecheney\o/ !01:48
niemeyerdavecheney: Bed time here02:34
niemeyerdavecheney: Have a good time02:34
* niemeyer => zzzzzZZZ02:34
wrtpfwereade__: morning07:28
fwereade__wrtp, heyhey07:32
wrtpdavecheney: hiya09:17
wrtpdavecheney: if you have a moment, this evening, it would be great if you could try to provoke that test failure - i'd like to get that CL submitted.09:18
davecheneywrtp: that is the thing09:23
davecheneythe test never fails09:23
wrtpdavecheney: have you tried raising the iteration count?09:23
wrtpdavecheney: (did you see my reply BTW?)09:23
davecheneyi think i may not have09:24
davecheneybasically i reveted state.go09:24
davecheneyand the test still passed09:24
davecheneyso, what is the test testing ?09:24
wrtpdavecheney: i only replied an hour ago09:24
wrtpdavecheney: it's testing a race condition09:24
wrtpdavecheney: read my reply for details09:24
davecheneyok, i'll go upstairs and read it09:24
wrtpdavecheney: ta09:25
fwereade__guys, I need to take a somewhat extended lunch; https://codereview.appspot.com/6734046 is pretty trivial if anyone is bored ;p09:45
wrtpfwereade__: reviewed09:51
Arammoin.10:20
wrtpAram: hiya10:29
wrtpthis fails for me.go test labix.org/v2/mgo12:22
wrtpcould someone else try it, and let me know if the test passes, please.12:23
Aramone min\12:23
wrtpAram: thanks12:23
Aramwrtp: failed12:24
wrtpAram: thanks12:24
Aramwrtp: I remember now, actually.12:25
Aramit never passed for me12:25
AramI remember that error from when I started using mgo12:25
Aramit never worked right here12:25
wrtpAram: it's strange because it looks like that js is ok12:25
wrtpAram: that is, i can't see how rs1a could be undefined.12:25
wrtpAram: ah, i see12:26
Aramyeah12:27
wrtpAram: maybe the server ports have changed or something12:27
Aramwhat momgodb version do you have?12:27
Aramthis is 2.0.412:27
wrtpAram: the one we're using in ec2, i think12:27
wrtpAram: 2.2.012:28
wrtpAram: hmm, i think it might be failing because i don't have a "supervisorctl" command12:31
wrtp(whatever that's supposed to do)12:31
Aramyeah, I don't have that either12:32
wrtpAram: hmm, that doesn't seem to have fixed it12:34
niemeyerMoooorning12:57
fwereade__niemeyer, heyhey13:01
wrtpniemeyer: yo!13:07
wrtpniemeyer: any hints as to how i can get mgo tests passing? it seems like it's something to do with supervisord (which wasn't installed), but i've failed to get it working even when it is.13:08
niemeyerwrtp: You have to run make startdb13:09
wrtpniemeyer: ah!13:09
niemeyerwrtp: It sets up the 12 servers, etc13:09
niemeyerwrtp: It doesn't restart them across runs13:09
wrtpniemeyer: right - i see now. that was not so obvious :-)13:10
niemeyerwrtp: Anything you think is broken there?13:14
wrtpniemeyer: i just wanted to check that i could connect to mongodb with Go's TLS, so i made some changes to allow that and wanted to verify that everything was still working13:15
wrtpniemeyer: i do get one test failure, even after running startdb, BTW13:15
niemeyerwrtp: I will work on that on my own time13:15
wrtpniemeyer: it looks like session.DatabaseNames doesn't always return the names in sorted order13:15
wrtpniemeyer: ok. you don't want to accept it as a contribution?13:15
niemeyerwrtp: Is juju distributing TLS certificates properly?  I'll happily take that as a contribution. :-)13:16
wrtpniemeyer: i need to talk with you about that13:16
wrtpniemeyer: i didn't want to build an implementation without deciding what to do first13:17
niemeyerwrtp: Understood.. the point is that I'm happy to use my own time to work on mgo as I've been doing since day one. We don't have to spend our time to do that.13:17
wrtpniemeyer: that's ok.13:17
wrtpniemeyer: it was only 10 minutes' work13:17
niemeyerwrtp: Cool, but it wouldn't be to implement it properly13:18
wrtpniemeyer: no? it's true i'm probably unaware of the subtleties13:18
wrtpniemeyer: i thought something like this was probably sufficient: http://paste.ubuntu.com/1286877/13:19
niemeyerwrtp: Quite possibly13:24
niemeyerwrtp: That's what Dave suggested too13:24
wrtpniemeyer: here's my half-baked plan for key distribution BTW: http://paste.ubuntu.com/1286895/13:27
niemeyerfwereade__: I think there was some misunderstanding on the Cleanup review13:33
niemeyerfwereade__: But perhaps it's for the best13:33
fwereade__niemeyer, oh, sorry, perhaps there was13:34
fwereade__niemeyer, what did I miss?13:34
niemeyerfwereade__: The suggestion was to run RemoveAll, but not to scan through all documents pending of cleanups at once13:34
fwereade__niemeyer, yes -- that changed because it appeared to make the code simpler, and I couldn't think of a serious drawback...13:35
fwereade__niemeyer, given that I was looping until I found a valid cleanup doc *anyway*, I thought it was easier to just keep on looping :)13:36
wrtpi've got to reboot. back in a mo.13:36
niemeyerfwereade__: It may only load the system at once a bit more, but it sounds worth trying13:36
fwereade__niemeyer, yeah, it seemed to follow the spirit of your other suggestions :)13:36
niemeyerfwereade__: I think the cleanups doc is fine to be deleted out of a transaction too, btw13:37
fwereade__niemeyer, I thought "better safe than sorry" there, on the basis that it's a new feature whose context is yet to be completely determined13:38
niemeyerfwereade__: We did its intended action before getting there, and the action is idempotent, so any mixup should be fine13:38
fwereade__niemeyer, true enough, happy to change13:39
niemeyerfwereade__: For clarity, the dangers we can incur by not using a transaction, in that specific case, is seeing the change being done again13:40
niemeyerfwereade__: Because if the transaction failed on the insert side before being finished, someone else will attempt to apply the transaction again, and may end up reinserting the doc13:41
niemeyerfwereade__: After that transaction is finished, that doc is never seen in a transaction again13:41
niemeyerfwereade__: So the worst that can happen is Cleanup running the same cleanup twice, which is not a big deal due to its nature13:42
niemeyerfwereade__: I suspect that will be true in general for cleanups13:42
fwereade__niemeyer, hope so :)13:42
niemeyerfwereade__: If you want me, I'll be in my bunker13:43
fwereade__haha13:43
wrtpniemeyer: any thoughts on my key distribution sketch above?13:44
niemeyerwrtp: I started reviewing a branch before you posted, and I haven't yet finished13:45
wrtpniemeyer: ok, np13:45
wrtpniemeyer: i wasn't sure you noticed the paste.13:46
niemeyerfwereade__: LGTM, thanks a lot for the rounds13:47
niemeyerwrtp: np13:47
niemeyerwrtp: SO..13:47
=== wrtp is now known as rogpeppe
rogpeppeniemeyer: so...13:47
niemeyerrogpeppe: We don't need --sslOnNormalPorts.. we don't even use normal ports13:47
rogpeppeniemeyer: ok. that just came from a web page. i'm not fully cognizant of the implications of all the mongod flags :-)13:48
rogpeppeniemeyer: (i thought perhaps it might allow non-ssl connections without that flag)13:49
niemeyerrogpeppe: We want --ssl, I think13:50
niemeyerrogpeppe: I don't have a lot of experience with ssl on mongo myself, to be honest13:50
niemeyerrogpeppe: 10gen plays a trick I don't find so nice13:50
rogpeppeniemeyer: i was going from this page: http://docs.mongodb.org/manual/administration/ssl/13:50
niemeyerrogpeppe: Their own packages don't have ssl built-in.. you have to pay for a subscription13:51
rogpeppeniemeyer: yeah, that's why you had to do your own build, right?13:51
niemeyerAll things considered, I guess it's a fine way to stay in business, though13:51
niemeyerrogpeppe: Yeah13:51
rogpeppeniemeyer: if people can't be bothered to do a build, then it's their problem i guess.13:52
rogpeppeniemeyer: (you didn't have that easy a time of it AFAIR though!)13:52
niemeyerHmm.. "Add the “ssl=True” parameter to a PyMongo".. I'll have to investigate what's the standard way drivers are handling that13:52
niemeyer"mongodb://localhost/?ssl=true&sslverifycertificate=false"13:53
niemeyerinteresting..13:53
niemeyerAnyway, sorry, derail13:53
niemeyerrogpeppe: Only because it takes forever.. otherwise it was somewhat okay13:54
niemeyerrogpeppe: in your sketch, I'm not entirely sure of what lines 12-15 mean13:54
rogpeppeniemeyer: we've got to make the public key available somewhere outside of the state, right?13:55
rogpeppeniemeyer: and the server itself must generate the public key, i think13:55
niemeyerrogpeppe: Well, we can only generate the public key by generating the pair13:55
rogpeppeniemeyer: exactly13:56
niemeyerrogpeppe: I'm not sure we want to do that at the server side, though13:56
niemeyerrogpeppe: It means the client has to trust the server blindly, at least once13:56
rogpeppeniemeyer: and we don't want to make the private key available in cloudinit13:56
rogpeppeniemeyer: there's another way around that, i think, which is orthogonal to this13:56
rogpeppeniemeyer: which is to have a client-specified value that's put into the state.13:57
niemeyerrogpeppe: That's a bit related to that conversation we had the other day regarding push vs. pull13:57
niemeyerrogpeppe: Erm.. sorry13:57
niemeyerrogpeppe: That was confusng13:57
niemeyerrogpeppe: The conversation regarding bootstrapping via ssh rather than via cloud-init13:58
rogpeppeniemeyer: i remember the conversation13:58
niemeyerrogpeppe: Or perhaps via both, but pushing the changes via ssh13:58
rogpeppeniemeyer: don't we have the same problem there. we must trust the server blindly the first time.13:58
niemeyerrogpeppe: Let me look at how we bootstrap today for a sec.. just a moment13:58
niemeyerrogpeppe: Okay14:01
niemeyerrogpeppe: I guess the problem we have is pretty much the same as the problem we just solved with the password14:02
rogpeppeniemeyer: if we could write to environments.yaml, our problem would be simpler14:02
niemeyerrogpeppe: Seems like a red-herring14:03
niemeyerrogpeppe: How did we solve the problem of initializing the password?14:03
rogpeppeniemeyer: we changed it14:04
niemeyerrogpeppe: Yep14:04
rogpeppeniemeyer: but if the password is specified in environments.yaml, we can't do that.14:04
niemeyerrogpeppe: Hmm.. I lost you14:04
niemeyerrogpeppe: The password *is* specified in environments.yaml, and we do that14:05
niemeyerrogpeppe: environments.yaml seems like a red-herring14:05
rogpeppeniemeyer: perhaps i'm misunderstanding you. the password in environments.yaml is so we can authenticate ourselves to the server. what we're trying to do here is authenticate the server to the client, no?14:05
niemeyerrogpeppe: The problem we have is exactly the same.. we have a private key that we want the server to hold without exposing to everybody that can read cloud-init14:06
rogpeppeniemeyer: ok... so who generates the private key?14:07
niemeyerrogpeppe: We do14:07
niemeyerrogpeppe: The client14:07
rogpeppeniemeyer: how does that help?14:07
rogpeppeniemeyer: i suppose it means we don't have to wait for the public key to become available14:08
niemeyerrogpeppe: It's the only way for the client to be able to tell it's talking to the right server14:08
rogpeppeniemeyer: i don't see how it helps14:08
niemeyerrogpeppe: Hmm.. expand?14:08
rogpeppeniemeyer: when we connect for the first time after bootstrap, how do we tell if we're talking to the right server?14:09
niemeyerrogpeppe: When you connect to your bank in your browser, how can your browser tell it is talking to the right endpoint?14:09
niemeyerrogpeppe: (or at least hope so ;)14:10
rogpeppeniemeyer: because your browser has stored a public key of the bank.14:10
niemeyerrogpeppe: Almost, but close enough14:10
rogpeppeniemeyer: so where do we store the public key that we generate at bootstrap time?14:11
rogpeppeniemeyer: ah, i suppose we can use our local key to sign a certificate for the server14:11
rogpeppeniemeyer: and then use our local key as the root CA14:11
rogpeppeniemeyer: i'm not sure that works though14:12
rogpeppeniemeyer: hmm, maybe.14:13
niemeyerrogpeppe: Why?14:13
rogpeppeniemeyer: i guess we'd need another field in environments.yaml14:15
rogpeppeniemeyer: to hold the original signer's certificate14:15
rogpeppeniemeyer: we could overload authorized-keys, i suppose14:15
niemeyerrogpeppe: Uh.. why the obsession about environments.yaml?14:16
niemeyerrogpeppe: and how's authorized-keys related to the problem?14:16
niemeyerrogpeppe: This is the ssh key, and it works well14:16
niemeyerrogpeppe: No need to fiddle there14:16
rogpeppe[15:09:02] <rogpeppe> niemeyer: when we connect for the first time after bootstrap, how do we tell if we're talking to the right server?14:17
niemeyer<niemeyer> rogpeppe: environments.yaml seems like a red-herring14:17
niemeyer:)14:17
rogpeppe:-)14:17
rogpeppeniemeyer: i'm not sure how to answer my question above14:17
niemeyerrogpeppe: You've already answered it?14:17
rogpeppeniemeyer: my answer only works if we know what key signed the server's cert14:18
niemeyerrogpeppe: Of half of it, anyway14:18
rogpeppeniemeyer: and that's something that needs to be specified in environments.yaml AFAICS14:18
niemeyerrogpeppe: Exactly, that's what we're handing off the key to the server14:18
niemeyers/what/why14:18
niemeyerrogpeppe: lOL14:18
niemeyerrogpeppe: We can do whatever we want.. yes, it may be in environments.yaml, it may be in ~/.juju/envname.cert, or whatever14:19
rogpeppeniemeyer: ok, so we've handed off the key to the server. now we connect again, and the server presents a certificate. how do we tell if that certificate is valid?14:19
rogpeppeniemeyer: ok, sorry. i was using environments.yaml as a place-holder for "somewhere with client configuration information". of course it could be stored elsewhere too.14:21
niemeyerrogpeppe: You've already answered it:14:21
niemeyer<rogpeppe> niemeyer: ah, i suppose we can use our local key to sign a certificate for the server14:21
niemeyer<rogpeppe> niemeyer: and then use our local key as the root CA14:21
rogpeppeniemeyer: the reason for the possible authorized-keys possible-red-herring is that we already have a local key, which we use to connect with SSH. we could use that very same key to sign the initial certificate.14:22
rogpeppeniemeyer: rather than requiring everyone to generate another key just for juju14:22
niemeyerrogpeppe: Nope.. different worlds14:23
rogpeppeniemeyer: ok14:23
rogpeppeniemeyer: so... in this proposed world, we have our own key distribution problem at the client side.14:24
rogpeppeniemeyer: everyone that needs to bootstrap an environment must have a private key signed by the root key14:24
niemeyerrogpeppe: This seems to put a simple problem in somewhat of a dark perspective14:25
niemeyerrogpeppe: I'd put it more lightly as14:26
niemeyerrogpeppe: When we bootstrap, we sign the key we hand off to the server14:26
rogpeppeniemeyer: i suppose i'm slightly concerned at the change in juju usage implied here. before, you could just bootstrap anywhere, and connect to the environment from any other place as long as you had an authorized ssh key.14:28
niemeyerrogpeppe: That feels like an entirely different context than the one we're talking about14:29
rogpeppeniemeyer: now you can only bootstrap if you've got a private key that is derived from the root key.14:29
rogpeppeniemeyer: (the root key being the one mentioned in the other environments.yaml files, so that they can connect)14:29
niemeyerrogpeppe: Sorry, I think either you see something I don't, or you're creating a picture that I'm not perceiving14:30
niemeyerrogpeppe: Generate key, sign, send to server, profit..14:30
niemeyerrogpeppe: Where's the pain coming from?14:30
rogpeppeniemeyer: connecting again14:31
niemeyerrogpeppe: yes?14:31
rogpeppeniemeyer: if i'm connecting from a different host, i've got to verify that the bootstrapped environment's key was signed by the original key14:32
rogpeppeniemeyer: so i need to know about the original key14:32
niemeyerrogpeppe: Yes you do need to know about the server certificate if you want to validate the server is who we think it is14:32
niemeyerrogpeppe: That's called authentication14:32
niemeyerrogpeppe: Something we conveniently ignore right now14:33
rogpeppeniemeyer: we're actually verifying the client that did the bootstrap in this case.14:33
rogpeppei think14:33
niemeyerrogpeppe: ?14:33
rogpeppeniemeyer: that's where the chain of trust starts14:34
rogpeppeniemeyer: which seems good, actually.14:34
rogpeppeniemeyer: hmm, i guess we'll have to issue the initial certficate with a very limited lifespan.14:38
rogpeppeniemeyer: no that doesn't work14:38
rogpeppeniemeyer: i'm not sure how we'll do the interaction to sign the new key when first connecting to the state.14:39
niemeyerrogpeppe: We can create a temporary cert to sign the trashed private key14:40
rogpeppeniemeyer: the server does that?14:41
niemeyerrogpeppe: We cannot create the certificate in the server because then we cannot talk to the server and know we're talking to the right server14:41
rogpeppeniemeyer: perhaps we need to run a little server that the client connects to, reads the new public key from the server, and sends back a signed cert14:41
rogpeppeniemeyer: indeed14:42
rogpeppeniemeyer: but we can (and should) generate a new private key on the server, and get that signed14:42
niemeyerrogpeppe: We can generate the private key on the client and sign it on the client where we have the certificate14:43
rogpeppeniemeyer: how do we send it to the server?14:44
rogpeppeniemeyer: we could put it in the state, i guess, but that seems wrong to me14:45
niemeyerrogpeppe: Why?14:47
rogpeppeniemeyer: for the same reason we don't put admin-password in the state14:48
niemeyerrogpeppe: One of the reasons we don't put it in the state is because nobody needs it14:49
rogpeppeniemeyer: i thought it was a security issue too - we don't want anyone with access to the state to be able to impersonate the state server.14:51
rogpeppes/thought it was/think it might be/14:51
rogpeppeniemeyer: of course, they can only do that if they subvert DNS too14:52
niemeyerrogpeppe: Give me access to the state without a private key, and I'll dig the key out of the state server in a short while14:53
rogpeppeniemeyer: that's true of all our passwords too, of course. (with the exception of admin-password itself)14:53
niemeyerrogpeppe: No, you cannot figure the password actually, but that's a derail14:54
niemeyerrogpeppe: The points are:14:55
niemeyer1) We're consciously not handling authorization anywhere yet14:56
niemeyer2) Anyone with access to the state *today* can do whatever they want14:56
niemeyer3) That includes getting access to the state server14:56
niemeyer4) We're walking towards having a true API that manages authorization14:56
niemeyer5) With authorization, we can prevent people from having access to things they shouldn't14:57
niemeyer6) Even in the future, anyone that gets access to a state server *database* will have the private key for the server anyway, no matter if the key sits within the state or not14:57
niemeyerThat's it, I think14:58
rogpeppeniemeyer: i suppose it just *feels* more secure to have the server generate its own private key. but you're probably right that it's unnecessary.14:59
niemeyerrogpeppe: Well, I won't argue about that. If you know why it's more secure I'd be interested though.15:00
rogpeppeniemeyer: it means we're not leveraging future security on current security so much. once a state server has obtained an identity, it can keep it, knowing that no-one else has its private key. that said, i can't think of any attacks in particular that this enables.15:02
niemeyerrogpeppe: Yeah, I don't see where the "more secure" bits went in15:03
niemeyerrogpeppe: And I see a bunch of issues to solve, such as how to distribute keys to replica sets, and how to ensure the key isn't lost15:04
wrtphmm, don't know why i was kicked of then15:08
wrtpniemeyer: last thing i saw: [16:04:15] <niemeyer> rogpeppe: And I see a bunch of issues to solve, such as how to distribute keys to replica sets, and how to ensure the key isn't lost15:08
wrtpoff15:08
niemeyerwrtp: Yeah, that was it15:08
wrtpniemeyer: what was the last thing you saw me say?15:08
niemeyerwrtp: Nothing after that15:09
wrtp16:06:29] <rogpeppe> niemeyer: here's a thought: is it actually possible to change the server's key after it has started running?15:09
wrtp[16:06:52] <rogpeppe> niemeyer: or will we need to shut down mongod and restart it pointing to the new private key15:09
wrtp?15:09
niemeyerwrtp: Short term, I suppose we have to restart it15:11
wrtpniemeyer: and there's another issue too - how do we ensure that the original certificate (in cloud-init) isn't valid forever, while ensuring we can connect an arbitrary time after bootstrap15:12
wrtp?15:12
niemeyerOct 18 11:40:53 <niemeyer>      rogpeppe: We can create a temporary cert to sign the trashed private key15:12
wrtpniemeyer: i'm not sure quite what you mean by that15:12
niemeyerwrtp: Temporary cert?15:12
niemeyerwrtp: What part?15:12
wrtpniemeyer: yeah15:13
niemeyerwrtp: Sorry, can you explain what you don';t understand?15:13
wrtpniemeyer: do you mean a certificate with a short expiry time?15:13
niemeyerwrtp: No.. I mean creating a certificate that is itself temporary15:13
wrtpniemeyer: i'm not sure what that means15:14
wrtpniemeyer: stored temporarily?15:14
niemeyerwrtp: I don't know how to explain that more simply15:14
niemeyerwrtp: Yes15:14
wrtpniemeyer: but the cert is in the cloud-init data; how can it be stored only temporarily?15:15
niemeyerwrtp: No, the cert is local15:15
niemeyerwrtp: priv and pub keys are in cloud-init15:15
wrtpniemeyer: don't we need to pass a cert in the cloud-init too?15:16
wrtpniemeyer: because we need to sign it with the client's private key15:16
niemeyerwrtp: Hm?15:17
wrtpniemeyer: isn't that the basis of our security here?15:17
wrtpniemeyer: how else do we know that the certificate is valid when we're connecting to the state?15:17
niemeyerwrtp: Because we have the certificate with which the private key was signed15:18
niemeyerErm15:18
niemeyerThe public key15:18
wrtpniemeyer: the server has that certificate?15:18
niemeyerwrtp: Not necessarily, although we should probably send the public part of it as a sensible thing to do15:18
niemeyerwrtp: That's not what the security is based on, though15:19
wrtpniemeyer: oh, i *think* i start tosee.15:19
wrtpto see15:19
niemeyerwrtp: A private key is used to sign stuff, and to encrypt stuff for people to have the public key15:19
wrtpniemeyer: i know that.15:20
niemeyerwrtp: A public key is signed by a private part of the certificate so that people holding the public part of the certificate can attest that whoever handed off the public key was signed by the private part of the certificate15:21
wrtpniemeyer: i do know how pk auth works, i think15:21
niemeyerwrtp: My apologies, but that's exactly what I've been explaining15:22
wrtpniemeyer: i'm just not entirely sure what configuration you envisage here15:22
wrtpniemeyer: i think i might see. i was thinking that the private key would be generated at bootstrap time.15:22
niemeyerwrtp: and it will15:23
niemeyerOct 18 11:30:45 <niemeyer>      rogpeppe: Generate key, sign, send to server, profit..15:26
wrtpniemeyer: (sorry, i'm feeling particularly dense today)15:26
wrtpniemeyer: i thought that the server side of the TLS connection needed the signed certificate15:27
niemeyerwrtp: The server side needs a public key signed by the local certificate and a private key15:30
wrtpniemeyer: hmm, that's what i thought15:31
wrtpniemeyer: so that {public key signed by the local certificate} must go into the cloud-init data, right?15:31
niemeyerwrtp: The server side needs a public key signed by the local certificate and a private key15:31
niemeyerwrtp: Both need to go15:31
wrtpniemeyer: yeah, sure, the private key too15:32
wrtphow does that tally with this: [16:15:22] <niemeyer> wrtp: No, the cert is local15:32
niemeyerwrtp: "signed by the local certificate"?15:33
wrtpniemeyer: isn't a public key signed by the local certificate a certificate itself?15:33
wrtpniemeyer: i'm probably getting my terminology wrong, sorry.15:34
niemeyerwrtp: It can be if its respective private key is used to sign something else.. but I don't think that matters/15:34
niemeyer?15:34
wrtpniemeyer: (i was thinking that certificates can't sign things, only private keys can)15:34
niemeyerniemeyer> wrtp: A public key is signed by a private part of the certificate so that people holding the public part of the certificate can attest that whoever handed off the public key was signed by the private part of the certificate15:34
wrtpniemeyer: private-part-of-certficate == private-key, no?15:35
wrtpgah!15:35
niemeyerwrtp: I suggest reading a bit about PKI..15:36
wrtpniemeyer: i have read a certain amount, but obviously not the right bits...15:37
niemeyerwrtp: http://www.openssl.org/docs/HOWTO/certificates.txt15:38
wrtpniemeyer: that seems to agree with what i thought15:39
wrtpniemeyer: i.e. the private key is not part of the cert15:40
niemeyerwrtp: I'm sure.. we're debating this for ages just because we all understand things and are in deep agreement :)15:40
wrtpniemeyer: i'm sorry. but part of my confusion here is about terminology. when you say "public key signed by the local certificate", i find it confusing, because a certificate can't sign things.15:42
wrtpniemeyer: so i'm *trying* to get around to asking how we can limit the lifetime of the certificate we send to the server in the cloud-init data.15:43
wrtpniemeyer: i'm sorry we seem to be having difficulty here.15:44
niemeyerwrtp: Do you understand what a root certificate is?15:45
wrtpniemeyer: i believe so15:45
niemeyerwrtp: Okay.. what does it do?15:46
wrtpniemeyer: it verifies that some root private key has some attributes15:47
niemeyerwrtp: Hmm.. no..15:47
niemeyerwrtp: It signs things15:47
niemeyerwrtp: and there is both a private part of it, and a public part of it15:47
wrtpniemeyer: the public part of it *is* the certificate, i believe15:48
wrtpniemeyer: the private key is just a private key, that can be used to sign any number of certs15:48
niemeyerwrtp: Nope.. it's a pair15:48
wrtpniemeyer: if i want to sign a certificate request, i can use this command:15:49
wrtpopenssl x509 -req -days 10000 -signkey $keyfile -out $certfile -in $reqfile15:49
wrtpniemeyer: that produces a certficate signed by the specified key file.15:49
wrtpniemeyer: there's no inherent pairing15:50
niemeyerwrtp: There all those fancy names, but in the end it's good old asymmetric crypto15:50
wrtpniemeyer: indeed15:50
wrtpniemeyer: the different thing about a root cert, i suppose, is that it's self-signed.15:50
niemeyerwrtp: So, you use the private part of the key pair that some call certificate, some call whatever they want, to sign things15:53
wrtpniemeyer: yup15:53
niemeyerwrtp: The root CA is the public part of it15:54
wrtpniemeyer: yup15:54
niemeyerwrtp: The thing we see and can check15:54
wrtpniemeyer: yup. but we also need to check the intermediate certificate too, right?15:54
niemeyerwrtp: The private part of the root CA is what signs the public keys we use in the server that you can also call certificate if you want15:54
niemeyerwrtp: If there is an intermediate certificate, yes15:55
niemeyerwrtp: Then the private key of the root CA signed the public key of the intermediate certificate, and the private key of the intermediate certificate signs the server public key or public certificate if you please15:55
wrtpniemeyer: in this case, there must be an intermediate certificate AFAICS because we don't send the root certificate to the cloud15:55
wrtpniemeyer: ok, in that sense we probably won't have an intermediate certificate. it's that last bit i'm talking about.15:57
niemeyerwrtp: The two last sentences contradict each other15:57
wrtpniemeyer: i realised that i meant a different thing to you by "intermediate certificate"15:58
wrtpniemeyer: hence "in that sense"15:58
niemeyerwrtp: Intermediate certificate in general is unambiguous15:58
wrtpniemeyer: in this case AFAICS, we've got two certificates in the first instance: the root cert and the cert that we give to the bootstrap instance.15:59
niemeyerhttp://en.wikipedia.org/wiki/Intermediate_certificate_authorities15:59
niemeyerwrtp: Yes15:59
wrtpniemeyer: so the latter cert goes in the cloud-init data, right?16:00
niemeyerwrtp: Yes, we have to send the private key and the public key for the server in cloud-init16:01
wrtpniemeyer: it's more than just the public key - it's the *certificate* (which includes expiry time, possible server name etc) too, right?16:02
niemeyerwrtp: We can call it shit if you want..16:02
niemeyerwrtp: Sorry.. I'm getting slightly tired by now16:02
wrtpniemeyer: i'm sorry, that's a big difference16:02
wrtpniemeyer: because a certificate is valid for a while16:03
wrtpniemeyer: so even if we change the private key, that certificate will still be valid16:03
wrtpniemeyer: so we *could* make the expiry time short16:03
wrtpniemeyer: but that would mean that if we didn't connect soon after bootstrap, then it'll expire and we'll lose access to our newly bootstrapped state16:03
niemeyerwrtp: I suggest we use a temporary certificate to sign the key instead, but you already knew that 1.5h ago16:04
wrtpniemeyer: who signs the temporary cert?16:04
niemeyerwrtp: Nobody.. the temporary CA cert is the thing that sings the server cert16:04
wrtpniemeyer: ah... so you're suggesting making a temporary root certificate when bootstrapping?16:05
wrtpniemeyer: and storing that somewhere on the client's machine16:05
niemeyerwrtp: http://en.wikipedia.org/wiki/Public_key_certificate16:05
niemeyerwrtp: Yes16:07
wrtpniemeyer: okaaay16:07
wrtpniemeyer: that's what i was trying to get at by saying (ages ago) that it would be nice if we could write to environments.yaml.16:08
niemeyerwrtp: ROTFL16:08
niemeyerwrtp: Sorry.. this is getting somewhat sad :)16:09
niemeyerwrtp: I'll step out for lunch16:09
wrtpniemeyer: enjoy. sorry for my obtuseness.16:10
TheMueso, CL simplified and re-proposed. time to step out for dinner.16:42
wrtpniemeyer: this how i understand the current state of affairs (slightly simplified): http://paste.ubuntu.com/1287249/16:46
wrtpniemeyer: s/current state of affairs/currently proposed scheme/16:46
wrtpniemeyer: the simplification is that i'm not sure it's particularly useful to generate a certificate on the client side; all we need to verify is the public key of the server, so it can generate its own certificate.16:50
wrtps/certificate/temporary certificate/16:51
wrtpniemeyer: for the record that page above (http://en.wikipedia.org/wiki/Public_key_certificate) contains nothing that implies that a certificate has a private part, or can be used to sign things. i believe my confusion was understandable.16:56
niemeyerwrtp: It contains the fact that a certificate has *the public key* signed by *the CA*, but I really don't want to discuss this anymore17:21
niemeyerwrtp: If you think it doesn't have a private counterpart, I won't force you into understanding it17:22
wrtpniemeyer: me neither. i'm hoping that my paste above will move things forward.17:22
wrtpniemeyer: (of course it has a private counterpart, the signer, but that's not part of the certificate)17:23
niemeyerwrtp: "contains nothing that implies that a certificate has a private part"17:23
wrtpniemeyer: it's not a part of the certificate. anyway, moving on.17:23
niemeyerwrtp: Changing the point until it becomes reasonable makes for a very painful conversation17:24
wrtpniemeyer: a certificate contains no private data!17:24
niemeyer<niemeyer> wrtp: "contains nothing that implies that a certificate has a private part"17:24
niemeyerwrtp: That's what you said17:24
niemeyerwrtp: That's what I responded to17:24
wrtpniemeyer: counterpart != part17:24
niemeyerwrtp: For my own sanity I'll stop talking for the moment17:25
wrtpniemeyer: ok17:25
wrtpniemeyer: i'm sorry this is difficult. i don't mean to be awkward, but when we're talking about this stuff, it helps to have some agreed terminology.17:26
wrtpniemeyer: we should have moved to G+ hours ago17:26
wrtpniemeyer: i'd very much like some reaction to my proposal above, as i plan to start implementing it tomorrow morning, if it looks ok.17:29
niemeyerwrtp: Will check17:29
niemeyerwrtp:17:33
niemeyeron initial server:17:33
niemeyerget tempKey from cloud-init data17:33
niemeyertempCert = generate a self-signed certificate using tempKey17:33
wrtpniemeyer: is that bad?17:34
niemeyerwrtp: Just send the key/cert signed by the temporary local CA for the server to use17:35
wrtpniemeyer: what's the point of generating two keys when one will do?17:35
wrtpniemeyer: (i'm perfectly willing to accept that there may be a good reason, but i couldn't think of one)17:37
niemeyerwrtp: What are you going to put on the root CA field?17:38
wrtpniemeyer: the certificate itself.17:38
wrtpniemeyer: sorry, the temporary key itself17:38
wrtpniemeyer: it's self-signed17:39
niemeyerwrtp: Bingo.. it's a certificate, not a private key17:39
wrtpniemeyer: the server can generate its own certificate17:39
wrtpniemeyer: i don't *think* the server needs to share a CA with the client, but i may be wrong.17:39
niemeyerwrtp: Why are you generating the same certificate twice?17:40
wrtpniemeyer: we only generate it once17:40
wrtpniemeyer: on the server.17:40
wrtpniemeyer: the client just generates the private/public key pair17:40
niemeyerwrtp: and what do you put on the local root CA field?17:40
wrtpniemeyer: we don't need one17:41
niemeyerwrtp: Argh17:41
niemeyerwrtp: It's been three hours, and we're still stumbling upon basics of PKI17:41
wrtpniemeyer: we can do TLS authentication with no CAs17:41
niemeyerwrtp: Gosh17:41
wrtpniemeyer: i have Go code that does that, in fact.17:42
niemeyerwrtp: Okay, please teach me about how that works17:42
wrtpniemeyer: we use the usual diffie-hellman key exchange, which verifies the public key at the other end17:43
wrtpniemeyer: then we check that public key matches the one we expect17:43
niemeyerwrtp:17:44
niemeyer    // RootCAs defines the set of root certificate authorities17:44
niemeyer    // that clients use when verifying server certificates.17:44
niemeyer    // If RootCAs is nil, TLS uses the host's root CA set.17:44
niemeyer    RootCAs *x509.CertPool17:44
niemeyerwrtp: That's in the tls.Config type17:44
wrtpniemeyer: yes17:44
wrtpniemeyer: it's optional.17:44
niemeyerwrtp: What do you suggest we do with this?17:44
wrtpniemeyer: it'll work with an empty cert pool17:44
niemeyerwrtp: Yes, and what happens if you don't use it?17:44
niemeyerwrtp: What happens in that case?17:44
niemeyerwrtp: (hint: it's in the comment)17:45
wrtpniemeyer: you don't verify that the certificate is signed17:45
wrtpniemeyer: however...17:45
niemeyerwrtp: Wrong17:45
wrtpniemeyer: you can easily check the exact certificate17:45
niemeyerwrtp: It uses the host CA pool17:45
niemeyerwrtp: Which contains root CAs, which the key is not signed against17:45
wrtpniemeyer: you can use the ConnectonState method to find out the public key at the other end17:46
niemeyerwrtp: There are many things we could do, but that's not what we'll do. What we'll do is use plain and well known SSL, as intended.17:46
wrtpniemeyer: ok. it seems a bit unnecessary (checking the public key directly is just as strong), but fair enough.17:47
niemeyerwrtp: Sorry, I'll stop discussing that now. Let's talk next week.17:47
wrtpniemeyer: ok17:47
wrtpniemeyer: assuming we generate a certificate too, does the rest look ok?17:47
niemeyerwrtp: I really mean it, sorry about that. We've been discussing this for about 3h without progress. Next week we talk live with a whiteboard and sort it out.17:49
wrtpniemeyer: ok17:49
wrtp:-(17:50
niemeyerwrtp: I suggest picking stuff you'd enjoy working on tomorrow as a brain break17:50
wrtpniemeyer: i was thinking *this* might be quite fun :-)17:52
wrtpniemeyer: for the record: http://paste.ubuntu.com/1287384/18:05
wrtpi'm done for the evening18:05
wrtpnight all18:05
niemeyerwrtp: Have a good evening18:05
wrtpniemeyer: and you. v sorry about the wasted time this afternoon.18:05
niemeyerwrtp: All good, next week will be a lot easier18:05
wrtpniemeyer: indeed18:05
=== davechen1y is now known as davecheney

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!