davecheney | niemeyer: got a better fix for signing bug | 00:58 |
---|---|---|
davecheney | will propose in a few minutes | 00:58 |
davecheney | niemeyer: did you fix lbox so it doesn't mess up the milestone of a bug ? | 01:06 |
davecheney | if so, thank you :) | 01:06 |
niemeyer | davecheney: Yo | 01:08 |
niemeyer | davecheney: Morning | 01:08 |
niemeyer | davecheney: I didn't yet, sorry | 01:08 |
davecheney | niemeyer: weird, i wonder why lbox propose didn't screw up the milestone on https://bugs.launchpad.net/juju-core/+bug/1061941 | 01:19 |
davecheney | maybe because it's a different project | 01:20 |
niemeyer | davecheney: Perhaps the milestone picking logic is actually right | 01:48 |
niemeyer | davecheney: What I did was to deactivate 1.3 a while ago | 01:48 |
davecheney | \o/ ! | 01:48 |
niemeyer | davecheney: Bed time here | 02:34 |
niemeyer | davecheney: Have a good time | 02:34 |
* niemeyer => zzzzzZZZ | 02:34 | |
wrtp | fwereade__: morning | 07:28 |
fwereade__ | wrtp, heyhey | 07:32 |
wrtp | davecheney: hiya | 09:17 |
wrtp | davecheney: if you have a moment, this evening, it would be great if you could try to provoke that test failure - i'd like to get that CL submitted. | 09:18 |
davecheney | wrtp: that is the thing | 09:23 |
davecheney | the test never fails | 09:23 |
wrtp | davecheney: have you tried raising the iteration count? | 09:23 |
wrtp | davecheney: (did you see my reply BTW?) | 09:23 |
davecheney | i think i may not have | 09:24 |
davecheney | basically i reveted state.go | 09:24 |
davecheney | and the test still passed | 09:24 |
davecheney | so, what is the test testing ? | 09:24 |
wrtp | davecheney: i only replied an hour ago | 09:24 |
wrtp | davecheney: it's testing a race condition | 09:24 |
wrtp | davecheney: read my reply for details | 09:24 |
davecheney | ok, i'll go upstairs and read it | 09:24 |
wrtp | davecheney: ta | 09:25 |
fwereade__ | guys, I need to take a somewhat extended lunch; https://codereview.appspot.com/6734046 is pretty trivial if anyone is bored ;p | 09:45 |
wrtp | fwereade__: reviewed | 09:51 |
Aram | moin. | 10:20 |
wrtp | Aram: hiya | 10:29 |
wrtp | this fails for me.go test labix.org/v2/mgo | 12:22 |
wrtp | could someone else try it, and let me know if the test passes, please. | 12:23 |
Aram | one min\ | 12:23 |
wrtp | Aram: thanks | 12:23 |
Aram | wrtp: failed | 12:24 |
wrtp | Aram: thanks | 12:24 |
Aram | wrtp: I remember now, actually. | 12:25 |
Aram | it never passed for me | 12:25 |
Aram | I remember that error from when I started using mgo | 12:25 |
Aram | it never worked right here | 12:25 |
wrtp | Aram: it's strange because it looks like that js is ok | 12:25 |
wrtp | Aram: that is, i can't see how rs1a could be undefined. | 12:25 |
wrtp | Aram: ah, i see | 12:26 |
Aram | yeah | 12:27 |
wrtp | Aram: maybe the server ports have changed or something | 12:27 |
Aram | what momgodb version do you have? | 12:27 |
Aram | this is 2.0.4 | 12:27 |
wrtp | Aram: the one we're using in ec2, i think | 12:27 |
wrtp | Aram: 2.2.0 | 12:28 |
wrtp | Aram: hmm, i think it might be failing because i don't have a "supervisorctl" command | 12:31 |
wrtp | (whatever that's supposed to do) | 12:31 |
Aram | yeah, I don't have that either | 12:32 |
wrtp | Aram: hmm, that doesn't seem to have fixed it | 12:34 |
niemeyer | Moooorning | 12:57 |
fwereade__ | niemeyer, heyhey | 13:01 |
wrtp | niemeyer: yo! | 13:07 |
wrtp | niemeyer: any hints as to how i can get mgo tests passing? it seems like it's something to do with supervisord (which wasn't installed), but i've failed to get it working even when it is. | 13:08 |
niemeyer | wrtp: You have to run make startdb | 13:09 |
wrtp | niemeyer: ah! | 13:09 |
niemeyer | wrtp: It sets up the 12 servers, etc | 13:09 |
niemeyer | wrtp: It doesn't restart them across runs | 13:09 |
wrtp | niemeyer: right - i see now. that was not so obvious :-) | 13:10 |
niemeyer | wrtp: Anything you think is broken there? | 13:14 |
wrtp | niemeyer: i just wanted to check that i could connect to mongodb with Go's TLS, so i made some changes to allow that and wanted to verify that everything was still working | 13:15 |
wrtp | niemeyer: i do get one test failure, even after running startdb, BTW | 13:15 |
niemeyer | wrtp: I will work on that on my own time | 13:15 |
wrtp | niemeyer: it looks like session.DatabaseNames doesn't always return the names in sorted order | 13:15 |
wrtp | niemeyer: ok. you don't want to accept it as a contribution? | 13:15 |
niemeyer | wrtp: Is juju distributing TLS certificates properly? I'll happily take that as a contribution. :-) | 13:16 |
wrtp | niemeyer: i need to talk with you about that | 13:16 |
wrtp | niemeyer: i didn't want to build an implementation without deciding what to do first | 13:17 |
niemeyer | wrtp: Understood.. the point is that I'm happy to use my own time to work on mgo as I've been doing since day one. We don't have to spend our time to do that. | 13:17 |
wrtp | niemeyer: that's ok. | 13:17 |
wrtp | niemeyer: it was only 10 minutes' work | 13:17 |
niemeyer | wrtp: Cool, but it wouldn't be to implement it properly | 13:18 |
wrtp | niemeyer: no? it's true i'm probably unaware of the subtleties | 13:18 |
wrtp | niemeyer: i thought something like this was probably sufficient: http://paste.ubuntu.com/1286877/ | 13:19 |
niemeyer | wrtp: Quite possibly | 13:24 |
niemeyer | wrtp: That's what Dave suggested too | 13:24 |
wrtp | niemeyer: here's my half-baked plan for key distribution BTW: http://paste.ubuntu.com/1286895/ | 13:27 |
niemeyer | fwereade__: I think there was some misunderstanding on the Cleanup review | 13:33 |
niemeyer | fwereade__: But perhaps it's for the best | 13:33 |
fwereade__ | niemeyer, oh, sorry, perhaps there was | 13:34 |
fwereade__ | niemeyer, what did I miss? | 13:34 |
niemeyer | fwereade__: The suggestion was to run RemoveAll, but not to scan through all documents pending of cleanups at once | 13:34 |
fwereade__ | niemeyer, yes -- that changed because it appeared to make the code simpler, and I couldn't think of a serious drawback... | 13:35 |
fwereade__ | niemeyer, given that I was looping until I found a valid cleanup doc *anyway*, I thought it was easier to just keep on looping :) | 13:36 |
wrtp | i've got to reboot. back in a mo. | 13:36 |
niemeyer | fwereade__: It may only load the system at once a bit more, but it sounds worth trying | 13:36 |
fwereade__ | niemeyer, yeah, it seemed to follow the spirit of your other suggestions :) | 13:36 |
niemeyer | fwereade__: I think the cleanups doc is fine to be deleted out of a transaction too, btw | 13:37 |
fwereade__ | niemeyer, I thought "better safe than sorry" there, on the basis that it's a new feature whose context is yet to be completely determined | 13:38 |
niemeyer | fwereade__: We did its intended action before getting there, and the action is idempotent, so any mixup should be fine | 13:38 |
fwereade__ | niemeyer, true enough, happy to change | 13:39 |
niemeyer | fwereade__: For clarity, the dangers we can incur by not using a transaction, in that specific case, is seeing the change being done again | 13:40 |
niemeyer | fwereade__: Because if the transaction failed on the insert side before being finished, someone else will attempt to apply the transaction again, and may end up reinserting the doc | 13:41 |
niemeyer | fwereade__: After that transaction is finished, that doc is never seen in a transaction again | 13:41 |
niemeyer | fwereade__: So the worst that can happen is Cleanup running the same cleanup twice, which is not a big deal due to its nature | 13:42 |
niemeyer | fwereade__: I suspect that will be true in general for cleanups | 13:42 |
fwereade__ | niemeyer, hope so :) | 13:42 |
niemeyer | fwereade__: If you want me, I'll be in my bunker | 13:43 |
fwereade__ | haha | 13:43 |
wrtp | niemeyer: any thoughts on my key distribution sketch above? | 13:44 |
niemeyer | wrtp: I started reviewing a branch before you posted, and I haven't yet finished | 13:45 |
wrtp | niemeyer: ok, np | 13:45 |
wrtp | niemeyer: i wasn't sure you noticed the paste. | 13:46 |
niemeyer | fwereade__: LGTM, thanks a lot for the rounds | 13:47 |
niemeyer | wrtp: np | 13:47 |
niemeyer | wrtp: SO.. | 13:47 |
=== wrtp is now known as rogpeppe | ||
rogpeppe | niemeyer: so... | 13:47 |
niemeyer | rogpeppe: We don't need --sslOnNormalPorts.. we don't even use normal ports | 13:47 |
rogpeppe | niemeyer: ok. that just came from a web page. i'm not fully cognizant of the implications of all the mongod flags :-) | 13:48 |
rogpeppe | niemeyer: (i thought perhaps it might allow non-ssl connections without that flag) | 13:49 |
niemeyer | rogpeppe: We want --ssl, I think | 13:50 |
niemeyer | rogpeppe: I don't have a lot of experience with ssl on mongo myself, to be honest | 13:50 |
niemeyer | rogpeppe: 10gen plays a trick I don't find so nice | 13:50 |
rogpeppe | niemeyer: i was going from this page: http://docs.mongodb.org/manual/administration/ssl/ | 13:50 |
niemeyer | rogpeppe: Their own packages don't have ssl built-in.. you have to pay for a subscription | 13:51 |
rogpeppe | niemeyer: yeah, that's why you had to do your own build, right? | 13:51 |
niemeyer | All things considered, I guess it's a fine way to stay in business, though | 13:51 |
niemeyer | rogpeppe: Yeah | 13:51 |
rogpeppe | niemeyer: if people can't be bothered to do a build, then it's their problem i guess. | 13:52 |
rogpeppe | niemeyer: (you didn't have that easy a time of it AFAIR though!) | 13:52 |
niemeyer | Hmm.. "Add the “ssl=True” parameter to a PyMongo".. I'll have to investigate what's the standard way drivers are handling that | 13:52 |
niemeyer | "mongodb://localhost/?ssl=true&sslverifycertificate=false" | 13:53 |
niemeyer | interesting.. | 13:53 |
niemeyer | Anyway, sorry, derail | 13:53 |
niemeyer | rogpeppe: Only because it takes forever.. otherwise it was somewhat okay | 13:54 |
niemeyer | rogpeppe: in your sketch, I'm not entirely sure of what lines 12-15 mean | 13:54 |
rogpeppe | niemeyer: we've got to make the public key available somewhere outside of the state, right? | 13:55 |
rogpeppe | niemeyer: and the server itself must generate the public key, i think | 13:55 |
niemeyer | rogpeppe: Well, we can only generate the public key by generating the pair | 13:55 |
rogpeppe | niemeyer: exactly | 13:56 |
niemeyer | rogpeppe: I'm not sure we want to do that at the server side, though | 13:56 |
niemeyer | rogpeppe: It means the client has to trust the server blindly, at least once | 13:56 |
rogpeppe | niemeyer: and we don't want to make the private key available in cloudinit | 13:56 |
rogpeppe | niemeyer: there's another way around that, i think, which is orthogonal to this | 13:56 |
rogpeppe | niemeyer: which is to have a client-specified value that's put into the state. | 13:57 |
niemeyer | rogpeppe: That's a bit related to that conversation we had the other day regarding push vs. pull | 13:57 |
niemeyer | rogpeppe: Erm.. sorry | 13:57 |
niemeyer | rogpeppe: That was confusng | 13:57 |
niemeyer | rogpeppe: The conversation regarding bootstrapping via ssh rather than via cloud-init | 13:58 |
rogpeppe | niemeyer: i remember the conversation | 13:58 |
niemeyer | rogpeppe: Or perhaps via both, but pushing the changes via ssh | 13:58 |
rogpeppe | niemeyer: don't we have the same problem there. we must trust the server blindly the first time. | 13:58 |
niemeyer | rogpeppe: Let me look at how we bootstrap today for a sec.. just a moment | 13:58 |
niemeyer | rogpeppe: Okay | 14:01 |
niemeyer | rogpeppe: I guess the problem we have is pretty much the same as the problem we just solved with the password | 14:02 |
rogpeppe | niemeyer: if we could write to environments.yaml, our problem would be simpler | 14:02 |
niemeyer | rogpeppe: Seems like a red-herring | 14:03 |
niemeyer | rogpeppe: How did we solve the problem of initializing the password? | 14:03 |
rogpeppe | niemeyer: we changed it | 14:04 |
niemeyer | rogpeppe: Yep | 14:04 |
rogpeppe | niemeyer: but if the password is specified in environments.yaml, we can't do that. | 14:04 |
niemeyer | rogpeppe: Hmm.. I lost you | 14:04 |
niemeyer | rogpeppe: The password *is* specified in environments.yaml, and we do that | 14:05 |
niemeyer | rogpeppe: environments.yaml seems like a red-herring | 14:05 |
rogpeppe | niemeyer: perhaps i'm misunderstanding you. the password in environments.yaml is so we can authenticate ourselves to the server. what we're trying to do here is authenticate the server to the client, no? | 14:05 |
niemeyer | rogpeppe: The problem we have is exactly the same.. we have a private key that we want the server to hold without exposing to everybody that can read cloud-init | 14:06 |
rogpeppe | niemeyer: ok... so who generates the private key? | 14:07 |
niemeyer | rogpeppe: We do | 14:07 |
niemeyer | rogpeppe: The client | 14:07 |
rogpeppe | niemeyer: how does that help? | 14:07 |
rogpeppe | niemeyer: i suppose it means we don't have to wait for the public key to become available | 14:08 |
niemeyer | rogpeppe: It's the only way for the client to be able to tell it's talking to the right server | 14:08 |
rogpeppe | niemeyer: i don't see how it helps | 14:08 |
niemeyer | rogpeppe: Hmm.. expand? | 14:08 |
rogpeppe | niemeyer: when we connect for the first time after bootstrap, how do we tell if we're talking to the right server? | 14:09 |
niemeyer | rogpeppe: When you connect to your bank in your browser, how can your browser tell it is talking to the right endpoint? | 14:09 |
niemeyer | rogpeppe: (or at least hope so ;) | 14:10 |
rogpeppe | niemeyer: because your browser has stored a public key of the bank. | 14:10 |
niemeyer | rogpeppe: Almost, but close enough | 14:10 |
rogpeppe | niemeyer: so where do we store the public key that we generate at bootstrap time? | 14:11 |
rogpeppe | niemeyer: ah, i suppose we can use our local key to sign a certificate for the server | 14:11 |
rogpeppe | niemeyer: and then use our local key as the root CA | 14:11 |
rogpeppe | niemeyer: i'm not sure that works though | 14:12 |
rogpeppe | niemeyer: hmm, maybe. | 14:13 |
niemeyer | rogpeppe: Why? | 14:13 |
rogpeppe | niemeyer: i guess we'd need another field in environments.yaml | 14:15 |
rogpeppe | niemeyer: to hold the original signer's certificate | 14:15 |
rogpeppe | niemeyer: we could overload authorized-keys, i suppose | 14:15 |
niemeyer | rogpeppe: Uh.. why the obsession about environments.yaml? | 14:16 |
niemeyer | rogpeppe: and how's authorized-keys related to the problem? | 14:16 |
niemeyer | rogpeppe: This is the ssh key, and it works well | 14:16 |
niemeyer | rogpeppe: No need to fiddle there | 14:16 |
rogpeppe | [15:09:02] <rogpeppe> niemeyer: when we connect for the first time after bootstrap, how do we tell if we're talking to the right server? | 14:17 |
niemeyer | <niemeyer> rogpeppe: environments.yaml seems like a red-herring | 14:17 |
niemeyer | :) | 14:17 |
rogpeppe | :-) | 14:17 |
rogpeppe | niemeyer: i'm not sure how to answer my question above | 14:17 |
niemeyer | rogpeppe: You've already answered it? | 14:17 |
rogpeppe | niemeyer: my answer only works if we know what key signed the server's cert | 14:18 |
niemeyer | rogpeppe: Of half of it, anyway | 14:18 |
rogpeppe | niemeyer: and that's something that needs to be specified in environments.yaml AFAICS | 14:18 |
niemeyer | rogpeppe: Exactly, that's what we're handing off the key to the server | 14:18 |
niemeyer | s/what/why | 14:18 |
niemeyer | rogpeppe: lOL | 14:18 |
niemeyer | rogpeppe: We can do whatever we want.. yes, it may be in environments.yaml, it may be in ~/.juju/envname.cert, or whatever | 14:19 |
rogpeppe | niemeyer: ok, so we've handed off the key to the server. now we connect again, and the server presents a certificate. how do we tell if that certificate is valid? | 14:19 |
rogpeppe | niemeyer: ok, sorry. i was using environments.yaml as a place-holder for "somewhere with client configuration information". of course it could be stored elsewhere too. | 14:21 |
niemeyer | rogpeppe: You've already answered it: | 14:21 |
niemeyer | <rogpeppe> niemeyer: ah, i suppose we can use our local key to sign a certificate for the server | 14:21 |
niemeyer | <rogpeppe> niemeyer: and then use our local key as the root CA | 14:21 |
rogpeppe | niemeyer: the reason for the possible authorized-keys possible-red-herring is that we already have a local key, which we use to connect with SSH. we could use that very same key to sign the initial certificate. | 14:22 |
rogpeppe | niemeyer: rather than requiring everyone to generate another key just for juju | 14:22 |
niemeyer | rogpeppe: Nope.. different worlds | 14:23 |
rogpeppe | niemeyer: ok | 14:23 |
rogpeppe | niemeyer: so... in this proposed world, we have our own key distribution problem at the client side. | 14:24 |
rogpeppe | niemeyer: everyone that needs to bootstrap an environment must have a private key signed by the root key | 14:24 |
niemeyer | rogpeppe: This seems to put a simple problem in somewhat of a dark perspective | 14:25 |
niemeyer | rogpeppe: I'd put it more lightly as | 14:26 |
niemeyer | rogpeppe: When we bootstrap, we sign the key we hand off to the server | 14:26 |
rogpeppe | niemeyer: i suppose i'm slightly concerned at the change in juju usage implied here. before, you could just bootstrap anywhere, and connect to the environment from any other place as long as you had an authorized ssh key. | 14:28 |
niemeyer | rogpeppe: That feels like an entirely different context than the one we're talking about | 14:29 |
rogpeppe | niemeyer: now you can only bootstrap if you've got a private key that is derived from the root key. | 14:29 |
rogpeppe | niemeyer: (the root key being the one mentioned in the other environments.yaml files, so that they can connect) | 14:29 |
niemeyer | rogpeppe: Sorry, I think either you see something I don't, or you're creating a picture that I'm not perceiving | 14:30 |
niemeyer | rogpeppe: Generate key, sign, send to server, profit.. | 14:30 |
niemeyer | rogpeppe: Where's the pain coming from? | 14:30 |
rogpeppe | niemeyer: connecting again | 14:31 |
niemeyer | rogpeppe: yes? | 14:31 |
rogpeppe | niemeyer: if i'm connecting from a different host, i've got to verify that the bootstrapped environment's key was signed by the original key | 14:32 |
rogpeppe | niemeyer: so i need to know about the original key | 14:32 |
niemeyer | rogpeppe: Yes you do need to know about the server certificate if you want to validate the server is who we think it is | 14:32 |
niemeyer | rogpeppe: That's called authentication | 14:32 |
niemeyer | rogpeppe: Something we conveniently ignore right now | 14:33 |
rogpeppe | niemeyer: we're actually verifying the client that did the bootstrap in this case. | 14:33 |
rogpeppe | i think | 14:33 |
niemeyer | rogpeppe: ? | 14:33 |
rogpeppe | niemeyer: that's where the chain of trust starts | 14:34 |
rogpeppe | niemeyer: which seems good, actually. | 14:34 |
rogpeppe | niemeyer: hmm, i guess we'll have to issue the initial certficate with a very limited lifespan. | 14:38 |
rogpeppe | niemeyer: no that doesn't work | 14:38 |
rogpeppe | niemeyer: i'm not sure how we'll do the interaction to sign the new key when first connecting to the state. | 14:39 |
niemeyer | rogpeppe: We can create a temporary cert to sign the trashed private key | 14:40 |
rogpeppe | niemeyer: the server does that? | 14:41 |
niemeyer | rogpeppe: We cannot create the certificate in the server because then we cannot talk to the server and know we're talking to the right server | 14:41 |
rogpeppe | niemeyer: perhaps we need to run a little server that the client connects to, reads the new public key from the server, and sends back a signed cert | 14:41 |
rogpeppe | niemeyer: indeed | 14:42 |
rogpeppe | niemeyer: but we can (and should) generate a new private key on the server, and get that signed | 14:42 |
niemeyer | rogpeppe: We can generate the private key on the client and sign it on the client where we have the certificate | 14:43 |
rogpeppe | niemeyer: how do we send it to the server? | 14:44 |
rogpeppe | niemeyer: we could put it in the state, i guess, but that seems wrong to me | 14:45 |
niemeyer | rogpeppe: Why? | 14:47 |
rogpeppe | niemeyer: for the same reason we don't put admin-password in the state | 14:48 |
niemeyer | rogpeppe: One of the reasons we don't put it in the state is because nobody needs it | 14:49 |
rogpeppe | niemeyer: i thought it was a security issue too - we don't want anyone with access to the state to be able to impersonate the state server. | 14:51 |
rogpeppe | s/thought it was/think it might be/ | 14:51 |
rogpeppe | niemeyer: of course, they can only do that if they subvert DNS too | 14:52 |
niemeyer | rogpeppe: Give me access to the state without a private key, and I'll dig the key out of the state server in a short while | 14:53 |
rogpeppe | niemeyer: that's true of all our passwords too, of course. (with the exception of admin-password itself) | 14:53 |
niemeyer | rogpeppe: No, you cannot figure the password actually, but that's a derail | 14:54 |
niemeyer | rogpeppe: The points are: | 14:55 |
niemeyer | 1) We're consciously not handling authorization anywhere yet | 14:56 |
niemeyer | 2) Anyone with access to the state *today* can do whatever they want | 14:56 |
niemeyer | 3) That includes getting access to the state server | 14:56 |
niemeyer | 4) We're walking towards having a true API that manages authorization | 14:56 |
niemeyer | 5) With authorization, we can prevent people from having access to things they shouldn't | 14:57 |
niemeyer | 6) Even in the future, anyone that gets access to a state server *database* will have the private key for the server anyway, no matter if the key sits within the state or not | 14:57 |
niemeyer | That's it, I think | 14:58 |
rogpeppe | niemeyer: i suppose it just *feels* more secure to have the server generate its own private key. but you're probably right that it's unnecessary. | 14:59 |
niemeyer | rogpeppe: Well, I won't argue about that. If you know why it's more secure I'd be interested though. | 15:00 |
rogpeppe | niemeyer: it means we're not leveraging future security on current security so much. once a state server has obtained an identity, it can keep it, knowing that no-one else has its private key. that said, i can't think of any attacks in particular that this enables. | 15:02 |
niemeyer | rogpeppe: Yeah, I don't see where the "more secure" bits went in | 15:03 |
niemeyer | rogpeppe: And I see a bunch of issues to solve, such as how to distribute keys to replica sets, and how to ensure the key isn't lost | 15:04 |
wrtp | hmm, don't know why i was kicked of then | 15:08 |
wrtp | niemeyer: last thing i saw: [16:04:15] <niemeyer> rogpeppe: And I see a bunch of issues to solve, such as how to distribute keys to replica sets, and how to ensure the key isn't lost | 15:08 |
wrtp | off | 15:08 |
niemeyer | wrtp: Yeah, that was it | 15:08 |
wrtp | niemeyer: what was the last thing you saw me say? | 15:08 |
niemeyer | wrtp: Nothing after that | 15:09 |
wrtp | 16:06:29] <rogpeppe> niemeyer: here's a thought: is it actually possible to change the server's key after it has started running? | 15:09 |
wrtp | [16:06:52] <rogpeppe> niemeyer: or will we need to shut down mongod and restart it pointing to the new private key | 15:09 |
wrtp | ? | 15:09 |
niemeyer | wrtp: Short term, I suppose we have to restart it | 15:11 |
wrtp | niemeyer: and there's another issue too - how do we ensure that the original certificate (in cloud-init) isn't valid forever, while ensuring we can connect an arbitrary time after bootstrap | 15:12 |
wrtp | ? | 15:12 |
niemeyer | Oct 18 11:40:53 <niemeyer> rogpeppe: We can create a temporary cert to sign the trashed private key | 15:12 |
wrtp | niemeyer: i'm not sure quite what you mean by that | 15:12 |
niemeyer | wrtp: Temporary cert? | 15:12 |
niemeyer | wrtp: What part? | 15:12 |
wrtp | niemeyer: yeah | 15:13 |
niemeyer | wrtp: Sorry, can you explain what you don';t understand? | 15:13 |
wrtp | niemeyer: do you mean a certificate with a short expiry time? | 15:13 |
niemeyer | wrtp: No.. I mean creating a certificate that is itself temporary | 15:13 |
wrtp | niemeyer: i'm not sure what that means | 15:14 |
wrtp | niemeyer: stored temporarily? | 15:14 |
niemeyer | wrtp: I don't know how to explain that more simply | 15:14 |
niemeyer | wrtp: Yes | 15:14 |
wrtp | niemeyer: but the cert is in the cloud-init data; how can it be stored only temporarily? | 15:15 |
niemeyer | wrtp: No, the cert is local | 15:15 |
niemeyer | wrtp: priv and pub keys are in cloud-init | 15:15 |
wrtp | niemeyer: don't we need to pass a cert in the cloud-init too? | 15:16 |
wrtp | niemeyer: because we need to sign it with the client's private key | 15:16 |
niemeyer | wrtp: Hm? | 15:17 |
wrtp | niemeyer: isn't that the basis of our security here? | 15:17 |
wrtp | niemeyer: how else do we know that the certificate is valid when we're connecting to the state? | 15:17 |
niemeyer | wrtp: Because we have the certificate with which the private key was signed | 15:18 |
niemeyer | Erm | 15:18 |
niemeyer | The public key | 15:18 |
wrtp | niemeyer: the server has that certificate? | 15:18 |
niemeyer | wrtp: Not necessarily, although we should probably send the public part of it as a sensible thing to do | 15:18 |
niemeyer | wrtp: That's not what the security is based on, though | 15:19 |
wrtp | niemeyer: oh, i *think* i start tosee. | 15:19 |
wrtp | to see | 15:19 |
niemeyer | wrtp: A private key is used to sign stuff, and to encrypt stuff for people to have the public key | 15:19 |
wrtp | niemeyer: i know that. | 15:20 |
niemeyer | wrtp: A public key is signed by a private part of the certificate so that people holding the public part of the certificate can attest that whoever handed off the public key was signed by the private part of the certificate | 15:21 |
wrtp | niemeyer: i do know how pk auth works, i think | 15:21 |
niemeyer | wrtp: My apologies, but that's exactly what I've been explaining | 15:22 |
wrtp | niemeyer: i'm just not entirely sure what configuration you envisage here | 15:22 |
wrtp | niemeyer: i think i might see. i was thinking that the private key would be generated at bootstrap time. | 15:22 |
niemeyer | wrtp: and it will | 15:23 |
niemeyer | Oct 18 11:30:45 <niemeyer> rogpeppe: Generate key, sign, send to server, profit.. | 15:26 |
wrtp | niemeyer: (sorry, i'm feeling particularly dense today) | 15:26 |
wrtp | niemeyer: i thought that the server side of the TLS connection needed the signed certificate | 15:27 |
niemeyer | wrtp: The server side needs a public key signed by the local certificate and a private key | 15:30 |
wrtp | niemeyer: hmm, that's what i thought | 15:31 |
wrtp | niemeyer: so that {public key signed by the local certificate} must go into the cloud-init data, right? | 15:31 |
niemeyer | wrtp: The server side needs a public key signed by the local certificate and a private key | 15:31 |
niemeyer | wrtp: Both need to go | 15:31 |
wrtp | niemeyer: yeah, sure, the private key too | 15:32 |
wrtp | how does that tally with this: [16:15:22] <niemeyer> wrtp: No, the cert is local | 15:32 |
niemeyer | wrtp: "signed by the local certificate"? | 15:33 |
wrtp | niemeyer: isn't a public key signed by the local certificate a certificate itself? | 15:33 |
wrtp | niemeyer: i'm probably getting my terminology wrong, sorry. | 15:34 |
niemeyer | wrtp: It can be if its respective private key is used to sign something else.. but I don't think that matters/ | 15:34 |
niemeyer | ? | 15:34 |
wrtp | niemeyer: (i was thinking that certificates can't sign things, only private keys can) | 15:34 |
niemeyer | niemeyer> wrtp: A public key is signed by a private part of the certificate so that people holding the public part of the certificate can attest that whoever handed off the public key was signed by the private part of the certificate | 15:34 |
wrtp | niemeyer: private-part-of-certficate == private-key, no? | 15:35 |
wrtp | gah! | 15:35 |
niemeyer | wrtp: I suggest reading a bit about PKI.. | 15:36 |
wrtp | niemeyer: i have read a certain amount, but obviously not the right bits... | 15:37 |
niemeyer | wrtp: http://www.openssl.org/docs/HOWTO/certificates.txt | 15:38 |
wrtp | niemeyer: that seems to agree with what i thought | 15:39 |
wrtp | niemeyer: i.e. the private key is not part of the cert | 15:40 |
niemeyer | wrtp: I'm sure.. we're debating this for ages just because we all understand things and are in deep agreement :) | 15:40 |
wrtp | niemeyer: i'm sorry. but part of my confusion here is about terminology. when you say "public key signed by the local certificate", i find it confusing, because a certificate can't sign things. | 15:42 |
wrtp | niemeyer: so i'm *trying* to get around to asking how we can limit the lifetime of the certificate we send to the server in the cloud-init data. | 15:43 |
wrtp | niemeyer: i'm sorry we seem to be having difficulty here. | 15:44 |
niemeyer | wrtp: Do you understand what a root certificate is? | 15:45 |
wrtp | niemeyer: i believe so | 15:45 |
niemeyer | wrtp: Okay.. what does it do? | 15:46 |
wrtp | niemeyer: it verifies that some root private key has some attributes | 15:47 |
niemeyer | wrtp: Hmm.. no.. | 15:47 |
niemeyer | wrtp: It signs things | 15:47 |
niemeyer | wrtp: and there is both a private part of it, and a public part of it | 15:47 |
wrtp | niemeyer: the public part of it *is* the certificate, i believe | 15:48 |
wrtp | niemeyer: the private key is just a private key, that can be used to sign any number of certs | 15:48 |
niemeyer | wrtp: Nope.. it's a pair | 15:48 |
wrtp | niemeyer: if i want to sign a certificate request, i can use this command: | 15:49 |
wrtp | openssl x509 -req -days 10000 -signkey $keyfile -out $certfile -in $reqfile | 15:49 |
wrtp | niemeyer: that produces a certficate signed by the specified key file. | 15:49 |
wrtp | niemeyer: there's no inherent pairing | 15:50 |
niemeyer | wrtp: There all those fancy names, but in the end it's good old asymmetric crypto | 15:50 |
wrtp | niemeyer: indeed | 15:50 |
wrtp | niemeyer: the different thing about a root cert, i suppose, is that it's self-signed. | 15:50 |
niemeyer | wrtp: So, you use the private part of the key pair that some call certificate, some call whatever they want, to sign things | 15:53 |
wrtp | niemeyer: yup | 15:53 |
niemeyer | wrtp: The root CA is the public part of it | 15:54 |
wrtp | niemeyer: yup | 15:54 |
niemeyer | wrtp: The thing we see and can check | 15:54 |
wrtp | niemeyer: yup. but we also need to check the intermediate certificate too, right? | 15:54 |
niemeyer | wrtp: The private part of the root CA is what signs the public keys we use in the server that you can also call certificate if you want | 15:54 |
niemeyer | wrtp: If there is an intermediate certificate, yes | 15:55 |
niemeyer | wrtp: Then the private key of the root CA signed the public key of the intermediate certificate, and the private key of the intermediate certificate signs the server public key or public certificate if you please | 15:55 |
wrtp | niemeyer: in this case, there must be an intermediate certificate AFAICS because we don't send the root certificate to the cloud | 15:55 |
wrtp | niemeyer: ok, in that sense we probably won't have an intermediate certificate. it's that last bit i'm talking about. | 15:57 |
niemeyer | wrtp: The two last sentences contradict each other | 15:57 |
wrtp | niemeyer: i realised that i meant a different thing to you by "intermediate certificate" | 15:58 |
wrtp | niemeyer: hence "in that sense" | 15:58 |
niemeyer | wrtp: Intermediate certificate in general is unambiguous | 15:58 |
wrtp | niemeyer: in this case AFAICS, we've got two certificates in the first instance: the root cert and the cert that we give to the bootstrap instance. | 15:59 |
niemeyer | http://en.wikipedia.org/wiki/Intermediate_certificate_authorities | 15:59 |
niemeyer | wrtp: Yes | 15:59 |
wrtp | niemeyer: so the latter cert goes in the cloud-init data, right? | 16:00 |
niemeyer | wrtp: Yes, we have to send the private key and the public key for the server in cloud-init | 16:01 |
wrtp | niemeyer: it's more than just the public key - it's the *certificate* (which includes expiry time, possible server name etc) too, right? | 16:02 |
niemeyer | wrtp: We can call it shit if you want.. | 16:02 |
niemeyer | wrtp: Sorry.. I'm getting slightly tired by now | 16:02 |
wrtp | niemeyer: i'm sorry, that's a big difference | 16:02 |
wrtp | niemeyer: because a certificate is valid for a while | 16:03 |
wrtp | niemeyer: so even if we change the private key, that certificate will still be valid | 16:03 |
wrtp | niemeyer: so we *could* make the expiry time short | 16:03 |
wrtp | niemeyer: but that would mean that if we didn't connect soon after bootstrap, then it'll expire and we'll lose access to our newly bootstrapped state | 16:03 |
niemeyer | wrtp: I suggest we use a temporary certificate to sign the key instead, but you already knew that 1.5h ago | 16:04 |
wrtp | niemeyer: who signs the temporary cert? | 16:04 |
niemeyer | wrtp: Nobody.. the temporary CA cert is the thing that sings the server cert | 16:04 |
wrtp | niemeyer: ah... so you're suggesting making a temporary root certificate when bootstrapping? | 16:05 |
wrtp | niemeyer: and storing that somewhere on the client's machine | 16:05 |
niemeyer | wrtp: http://en.wikipedia.org/wiki/Public_key_certificate | 16:05 |
niemeyer | wrtp: Yes | 16:07 |
wrtp | niemeyer: okaaay | 16:07 |
wrtp | niemeyer: that's what i was trying to get at by saying (ages ago) that it would be nice if we could write to environments.yaml. | 16:08 |
niemeyer | wrtp: ROTFL | 16:08 |
niemeyer | wrtp: Sorry.. this is getting somewhat sad :) | 16:09 |
niemeyer | wrtp: I'll step out for lunch | 16:09 |
wrtp | niemeyer: enjoy. sorry for my obtuseness. | 16:10 |
TheMue | so, CL simplified and re-proposed. time to step out for dinner. | 16:42 |
wrtp | niemeyer: this how i understand the current state of affairs (slightly simplified): http://paste.ubuntu.com/1287249/ | 16:46 |
wrtp | niemeyer: s/current state of affairs/currently proposed scheme/ | 16:46 |
wrtp | niemeyer: the simplification is that i'm not sure it's particularly useful to generate a certificate on the client side; all we need to verify is the public key of the server, so it can generate its own certificate. | 16:50 |
wrtp | s/certificate/temporary certificate/ | 16:51 |
wrtp | niemeyer: for the record that page above (http://en.wikipedia.org/wiki/Public_key_certificate) contains nothing that implies that a certificate has a private part, or can be used to sign things. i believe my confusion was understandable. | 16:56 |
niemeyer | wrtp: It contains the fact that a certificate has *the public key* signed by *the CA*, but I really don't want to discuss this anymore | 17:21 |
niemeyer | wrtp: If you think it doesn't have a private counterpart, I won't force you into understanding it | 17:22 |
wrtp | niemeyer: me neither. i'm hoping that my paste above will move things forward. | 17:22 |
wrtp | niemeyer: (of course it has a private counterpart, the signer, but that's not part of the certificate) | 17:23 |
niemeyer | wrtp: "contains nothing that implies that a certificate has a private part" | 17:23 |
wrtp | niemeyer: it's not a part of the certificate. anyway, moving on. | 17:23 |
niemeyer | wrtp: Changing the point until it becomes reasonable makes for a very painful conversation | 17:24 |
wrtp | niemeyer: a certificate contains no private data! | 17:24 |
niemeyer | <niemeyer> wrtp: "contains nothing that implies that a certificate has a private part" | 17:24 |
niemeyer | wrtp: That's what you said | 17:24 |
niemeyer | wrtp: That's what I responded to | 17:24 |
wrtp | niemeyer: counterpart != part | 17:24 |
niemeyer | wrtp: For my own sanity I'll stop talking for the moment | 17:25 |
wrtp | niemeyer: ok | 17:25 |
wrtp | niemeyer: i'm sorry this is difficult. i don't mean to be awkward, but when we're talking about this stuff, it helps to have some agreed terminology. | 17:26 |
wrtp | niemeyer: we should have moved to G+ hours ago | 17:26 |
wrtp | niemeyer: i'd very much like some reaction to my proposal above, as i plan to start implementing it tomorrow morning, if it looks ok. | 17:29 |
niemeyer | wrtp: Will check | 17:29 |
niemeyer | wrtp: | 17:33 |
niemeyer | on initial server: | 17:33 |
niemeyer | get tempKey from cloud-init data | 17:33 |
niemeyer | tempCert = generate a self-signed certificate using tempKey | 17:33 |
wrtp | niemeyer: is that bad? | 17:34 |
niemeyer | wrtp: Just send the key/cert signed by the temporary local CA for the server to use | 17:35 |
wrtp | niemeyer: what's the point of generating two keys when one will do? | 17:35 |
wrtp | niemeyer: (i'm perfectly willing to accept that there may be a good reason, but i couldn't think of one) | 17:37 |
niemeyer | wrtp: What are you going to put on the root CA field? | 17:38 |
wrtp | niemeyer: the certificate itself. | 17:38 |
wrtp | niemeyer: sorry, the temporary key itself | 17:38 |
wrtp | niemeyer: it's self-signed | 17:39 |
niemeyer | wrtp: Bingo.. it's a certificate, not a private key | 17:39 |
wrtp | niemeyer: the server can generate its own certificate | 17:39 |
wrtp | niemeyer: i don't *think* the server needs to share a CA with the client, but i may be wrong. | 17:39 |
niemeyer | wrtp: Why are you generating the same certificate twice? | 17:40 |
wrtp | niemeyer: we only generate it once | 17:40 |
wrtp | niemeyer: on the server. | 17:40 |
wrtp | niemeyer: the client just generates the private/public key pair | 17:40 |
niemeyer | wrtp: and what do you put on the local root CA field? | 17:40 |
wrtp | niemeyer: we don't need one | 17:41 |
niemeyer | wrtp: Argh | 17:41 |
niemeyer | wrtp: It's been three hours, and we're still stumbling upon basics of PKI | 17:41 |
wrtp | niemeyer: we can do TLS authentication with no CAs | 17:41 |
niemeyer | wrtp: Gosh | 17:41 |
wrtp | niemeyer: i have Go code that does that, in fact. | 17:42 |
niemeyer | wrtp: Okay, please teach me about how that works | 17:42 |
wrtp | niemeyer: we use the usual diffie-hellman key exchange, which verifies the public key at the other end | 17:43 |
wrtp | niemeyer: then we check that public key matches the one we expect | 17:43 |
niemeyer | wrtp: | 17:44 |
niemeyer | // RootCAs defines the set of root certificate authorities | 17:44 |
niemeyer | // that clients use when verifying server certificates. | 17:44 |
niemeyer | // If RootCAs is nil, TLS uses the host's root CA set. | 17:44 |
niemeyer | RootCAs *x509.CertPool | 17:44 |
niemeyer | wrtp: That's in the tls.Config type | 17:44 |
wrtp | niemeyer: yes | 17:44 |
wrtp | niemeyer: it's optional. | 17:44 |
niemeyer | wrtp: What do you suggest we do with this? | 17:44 |
wrtp | niemeyer: it'll work with an empty cert pool | 17:44 |
niemeyer | wrtp: Yes, and what happens if you don't use it? | 17:44 |
niemeyer | wrtp: What happens in that case? | 17:44 |
niemeyer | wrtp: (hint: it's in the comment) | 17:45 |
wrtp | niemeyer: you don't verify that the certificate is signed | 17:45 |
wrtp | niemeyer: however... | 17:45 |
niemeyer | wrtp: Wrong | 17:45 |
wrtp | niemeyer: you can easily check the exact certificate | 17:45 |
niemeyer | wrtp: It uses the host CA pool | 17:45 |
niemeyer | wrtp: Which contains root CAs, which the key is not signed against | 17:45 |
wrtp | niemeyer: you can use the ConnectonState method to find out the public key at the other end | 17:46 |
niemeyer | wrtp: There are many things we could do, but that's not what we'll do. What we'll do is use plain and well known SSL, as intended. | 17:46 |
wrtp | niemeyer: ok. it seems a bit unnecessary (checking the public key directly is just as strong), but fair enough. | 17:47 |
niemeyer | wrtp: Sorry, I'll stop discussing that now. Let's talk next week. | 17:47 |
wrtp | niemeyer: ok | 17:47 |
wrtp | niemeyer: assuming we generate a certificate too, does the rest look ok? | 17:47 |
niemeyer | wrtp: I really mean it, sorry about that. We've been discussing this for about 3h without progress. Next week we talk live with a whiteboard and sort it out. | 17:49 |
wrtp | niemeyer: ok | 17:49 |
wrtp | :-( | 17:50 |
niemeyer | wrtp: I suggest picking stuff you'd enjoy working on tomorrow as a brain break | 17:50 |
wrtp | niemeyer: i was thinking *this* might be quite fun :-) | 17:52 |
wrtp | niemeyer: for the record: http://paste.ubuntu.com/1287384/ | 18:05 |
wrtp | i'm done for the evening | 18:05 |
wrtp | night all | 18:05 |
niemeyer | wrtp: Have a good evening | 18:05 |
wrtp | niemeyer: and you. v sorry about the wasted time this afternoon. | 18:05 |
niemeyer | wrtp: All good, next week will be a lot easier | 18:05 |
wrtp | niemeyer: indeed | 18:05 |
=== davechen1y is now known as davecheney |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!