 Hello, who just in Hello, I'm high of both justins Hello Have you guys just in mate? If you thought I've done How's it do you guys do your keep calm recordings yet? Yeah, yeah Same here When the when the schedule first came out the first thing I did was like screw it on to the bottom the page and grab my thoughts Yeah, I don't think we have a an agenda today. I was talking to the key lime folks about Doing a presentation, but looks like one of the speakers is not It's not available So let's say this may be a really quick meeting. Let me put the meeting notes in the chat Go away with the one Hey, yeah, let's say I Just put the meeting notes in the chat. So if you don't know just putting a name there And we'll wait a couple more minutes for people to join into zoom Justin Kapp was from the assessment slides. I think that Needs discussion Yes, but Roberts before me in terms of updates and he may His he may want to discuss his issue. So I'll let him talk about that when he gives his update I guess the only other thing is there was a question about a key cloak here and It looks like they've just completed the dumb question phase and initial review and so they're gonna need to schedule a presentation For the you know for the group here to tell people what they've been up to So, I don't know if any of those folks are on this call or if you're not and you watch the video later Please coordinate with us to find a time to present in the meeting. All right, cool So it looks like more people have joined in so let me re-post this on the meeting link again And then let's get started with the check-ins Okay, so let's go down to this All right, let's start with Robert do you want to talk about? Custodian sure good morning, so we did a initial kickoff call with Custodian team and Justin and I and I think that the big need is from this group We'd love to get two or three additional volunteers who can help with the reviewing the self-assessment and then reviewing what we suggest as sick security and I'm leading that process. So I'll do most of the heavy lifting I just need as many volunteers will be interested to be additional sets of eyes and give good feedback so if there's anyone there who would like to use this as an opportunity to Participate in the process learn more about the process. I promise to make it a an easy ask Awesome. So is this for the this year past the Dumb question phase, so I forgot what the new name was And you're looking for reviewers for the the actual assessment, right? Well, I think I think we're I mean correct me if I'm wrong. Just and I think we can reopen the Initial question phase because we have the most recent updates from the Custodian team on their Self-assessment document. So now the process really starts. I'll be reviewing that that information Obviously, if we can get two or three more sets of eyes on it We'll allocate enough time for a productive review of that and then I think we will do a few rounds of question Answer with Custodian team. So that the the question answer phase starts now. Okay, I got you Depending on how many volunteers we can get I think The the Custodian team is is flexible. We can elongate that cycle if we need it So yeah, I think we have enough runway to make it productive Yeah, in general we've always had Maybe three or four additional people other than the main review we're doing the review and right now It's just Robert and myself and I'm in the process of moving to Shanghai for the fall Which means that my ability to put like really focused attention on this is also limited So we really need You know two or three other motivated people who can go and and give a hard look at that Because we've had I don't think there's been in his assessment at least none of the ones that I've been on Where we haven't had Multiple people with really really really valuable feedback that the assessment would have been much worse without it It's never just been like a person steps in and basically does the assessment and everybody else just kind of ticks a box So would really appreciate having two or three other folks if you're Not quite sure about it. It's fine to go and say hey, I'd like to participate, but I don't know what I can contribute That's okay, too You know we over time people get more and more comfortable Yeah, and maybe we can also I'm not sure if you are very done that but maybe can post it in the slack group In case for those people and other time zones. Maybe you will participate as well Sorry, you broke up a little bit. Can you read the question? Just saying maybe we can if you already haven't put it on the slack the slack channel There may be some people that are not on the call that maybe about the help as well Yeah, so so two things on so I did I did post yesterday. I'm happy to post daily And and also there is like a custodian assessment channel, which I posted there But yes, I mean definitely we'll we'll post again today All right Cool. Thanks, Robert Just in careful. So you want to continue on with the Chat about key club I don't have too much more to add about that But I I do have another very brief thing that I mentioned it doesn't warrant like a real agenda item Which is a few weeks ago I had mentioned kind of in passing in the meeting that I'm planning as part of an application security class And I'm teaching in the fall to try to basically take students through Looking at a badly set up in like a very, you know Think about all the mistakes people you see people make setting up cloud native Trying to give them an environment like that and then talking about those mistakes and having them fix them and So I mentioned that there was a lot of like oh, that's a great idea I'd like to participate kind of things and I wanted to mention to folks that I haven't forgotten about this and At some point in the not to just in future. I will get something basic together and Maybe start the discussion either on the slack channel or in these meetings depending on time Okay, sounds good Just to follow up there Justin Would you see that as totally separate distinct from or someone overlapping with something like a red teaming Set up Um, I mean the perspective we're giving in this exercise is more of you've been Hired into a company like, you know, and they had some, you know, the the the bosses nephew had looked online and hacked some crazy thing together and now you have to actually make it You know, like work and be reasonably secure I mean, it already works, but it's you know, it'll have these like weird little errors that come up when you get, you know certain things happen and stuff like that which will be, you know indicative of security problems but then there'll be a lot of things like You know, like checking credentials into like checking private keys into GitHub or database passwords or stuff into GitHub rather than using like Docker secrets or vault or whatever And so the idea is is rather than just tell the students like don't do these things will give them a In environment that's pretty basic But you know has has a lot of different Really rookie mistakes in it and then that way when they're thinking about like, oh You know, like how do I set this up correctly? Or what do I do? They already have an sort of an example like a bad example to fix Rather than just seeing it on a couple of slides or whatever and not really getting any experience Okay, great. Makes sense Yeah, so Justin, maybe if you want to it sounds like And probably well, that's gonna be Qcon and stuff like that But I'm guessing that after Qcon in the next couple weeks If you're gonna put something in the plan Meetings and then we can I think we will have a pretty packed September in terms of presentations if you're not do that Sounds good. All right So just to recap again on key cloak you mentioned that You're done with the dumb question phase and you require additional People as well for this Sorry, so I want to make sure So key cloak is separate from what we were just talking about which is cloud custodian, right? Yeah, Robert's been talking about so key cloak From what's been discussed here According to Ash and Emily and others They've made it through both of the both the dumb question phase or naive question phase or whatever we're calling it now, but also the broader review so that everybody who's on in the assessment group Which is a Christian Erin or whoever that is. I'm sorry if I Okay, and Emily have have in addition to Ash who's the lead all gone through and on like deep dives into the document and left comments Okay Yeah, all right, cool Do you think that? so I'm not sure with the I Guess that's if we do can find people for cloud custodian, but I'm just wondering whether anyone from the key cloak team you know ones that's done whether they've been interested in Clock custodian sounds like it's just kind of like a lack of people And also I think which are under I get to the next point I'm gonna skip just in comics check in for a bit because Andrews also mentioned about Looking for volunteers for the built packs assessment So yeah, I don't really get to get a round up a couple folks At least to to get started The security assessment is available. I have actually started to Glance over review seems pretty complete, but yeah, I could use some assistance From other folks make sure we give it a thorough look So I just wondering right from the from kind of like resource perspective I don't know would we be spreading to then do you think we have enough to Or should be kind of like serialized some of these I Don't know what the current plan for this is I think What I prefer we do so we have sort of kind of done two at a time at times But that's mostly been when something install it hasn't really been like two completely or like a separate groups of people that You know in some cases we just have an assessment that's followed for a couple weeks or month or something And then another assessment got started. So I prefer we don't have three active assessments now at least Unless we get plenty of people for cloud custodian and then we have plenty of people for You know build packs then great. Let's let's do it all but I would prefer, you know We won't do it be doing anybody a service if we have half half an assessment for Build packs and half an assessment for cloud custodian. Yeah So I'm guessing that we can kind of see like after kind of calling for volunteers and see what the numbers are and then maybe we can kind of See whether the reviewers would be okay with Doing one assessment before the other But I don't know that that's gonna work out But I feel like it may be something that we may have to visit if we don't get if we have spread a bit to then Yeah, it's a good point definitely something to consider. I Wanted to test some folks who we work together on the harbor assessment So we have prior experience working together I see Martin and Chase on the call I've actually been meaning to reach out see if they have the cycles to work and build packs and Assemble that crew, but yeah, let's let's see what we're able to get and determine we can certainly Just pause one for the time being and do them in order Okay, I Just wanted to add that I'm still Interest in joining in other assessments, but I just have to check my availability. That's why I'm Silent and don't have anything to add or say But thank you for mentioning that I Yeah, it was a good experience working together. I agree for me to Okay, so I think we're good with assessments Justin come I do you have an update? No, nothing today, okay And I think the last update is capel. I think we talked about cloud custodian rigid. Did you have something to add to that? No, I'm straying in late. I heard the tail end of it So it sounded like it wasn't clear what the what the result was is that We're doing a call for volunteers and otherwise Build taxes in the queue in front or what was what's the end result? I mean So we have a call for volunteers for cloud custodian I'm assuming that You know, unless I'm missing something and we have a completely fleshed out completely ready to go team for build packs and they have everything going then, you know, my inclination is to Have cloud custodian, which has been around longer Go first if for some reason we can't get a team together That's an adequate size or something then maybe and another project's ready to go we can maybe look at that but Because resources will be freeing up as we finish this the key cloak assessment You know, we can we can look and re-evaluate but I think, you know, I don't think it really matters what order you view these as because Key cloak should finish in a week or two and then I hope that frees up enough capacity for us to have both of them going and so since you know, the projects have already done a lot of the hard work and we're already kind of in the the, you know, he's starting to get in the clarifying question phase it really I don't see this as like a Hill anyone should feel as we're thawing on what did Order of those are because it will should be going quickly quite those should be going quickly quite soon Sounds good Okay, it sounds like maybe we wait one or two weeks and may resolve itself, but let's see Okay, I don't have I don't think there's any Kind of agenda items we have for today So it's does anyone have anything to talk about if not will probably just call Just a quick update from the policy work group. We had our calls. We have an 8 a.m. Pacific every other week So we had our call today at 8 Meeting I think the recordings so we're using that this zoom I'm not entirely clear how the recordings get published It's not not something I have access to but I think that we have published them in the past through some mechanism If they're on this zoom they should happen With the same words these but ping Amy if you're not on slack if you're Not sure. Okay perfect and then just a quick thumbnail we're working continue to work on a custom resource definition for kubernetes for policy results And we also have a discussion today about kind of miss 853 Fedram Scop oscal type automation. So if anybody's interested in that feel free to once we get the recording posted indoor Ping here in the agenda meetings. I'm happy to reach out to anyone if they're interested in those topics Will you be posting in the slack channel when those videos are posted? Yes, I will do so Thank you. That's it for me All right Any any other things anyone wants to bring up? I got a couple of things from spiffy inspire that may be relevant to several projects in the ecosystem one being we've been looking closely at rfc 8705 which is oop 2.0 mtls authentication and certificate certificate bound access tokens So we've been looking to for a lot of clients use the spiffy IDs protect that using mtls and start bridging machine identity to user identity and just remove the need to manage client credentials. So for those doing assessments around user identity management related projects Something just I want to put in your head and like starting to light a path towards that So just something to raise for consideration or awareness to some of these projects A couple other things. Sorry Have you got any links to that? I'd be interested just Yeah, for sure Yeah, I'll share that links in the in the meeting notes. I think that would be good In the chat and I'll I'll send up a In the meeting notes I can include a brief summary The description of that A couple other items one has been Asked this may be interesting extending S fits to carry Key value pairs that could be claims. Yes. I was waiting for that That's something that I've been looking forward to for a long time Very anticipated. Yes. Yeah, it blurs a little the lives between Often and not see but there's high demand for that folks from netflix, which Ironically much of spire was modeled after netflix metatron netflix has come around and said hey like The spire has now leap forwarded Metatron and we may be looking to consume this for some of our newer systems or have dual compatibility So they may be opening up an issue around this pretty soon And we're gonna we're gonna have a big request for comments around it And uh last justin we had a we've had a conversations with the dod around spire integrations for in toto And just in toto machinery, but like well with like key pairs in in toto like how do bind those to spiffy IDs And there are things at several levels I'll send some more detail on that, but I think it's another area that could benefit from like broader group discussion of How to move spire earlier into the supply chain and we've talked about that at different points in time, but I think we now have a particular end user Wanting to see this worked on upstream And the state of the technology is that that that we may be able to To integrate it well Great. Yeah, I look forward to hearing more about that Yeah, this is awesome. I'm super excited Yeah, if you could if you could post some of the I got the rsc thing then put it in the meeting notes if you could post the If there are any links or design documents for the the other two points you brought up on the Svc key value pairs and the spire integrations for in toto Uh, it would be good if you can put them in the meeting notes as well For sure. We'll do all right. Thanks address All right. Um, any other topics Okay, if not, let's close the meeting for this week and I will see everyone again next week Thank you later. Thank you. Bye. Bye