 So yeah, I was just giving the little time in between that anybody with the phone number could chime in. Aaron, thanks for noting your issue you picked up. Lakshmi, actually, could you type the issue chimed in on an issue? I think I wanted to raise everybody. Was that you? Yeah, yes. If you would dig it up and the link in. I love the idea I saw on my phone when I was in the muni this morning so I didn't have a chance to chime back in. But it looked great for me. So at minimum, we have a special guest coming at 10.30. So we may not have time to discuss all the open things, but I want to at least raise it for people to chime in on to give people a heads up that I would love to have people's feedback. Yeah, sure. Yeah, I got it. All right, so since we have an exciting busy agenda today, why don't we just start with check-ins, even though some people might still be rolling in. We'll go down the list in order. Robert. Hello, everyone. Yeah, I did a little brainstorming on the lifecycle document that you requested, Sarah. Oh, actually, I'm going to interrupt you because I realize we don't have scribes. Could I have two volunteers? I'll do subscribing at least for the first half of the meeting. Thank you. Do we have anybody who somebody is volunteering? I will send the link again because you don't get to see chat history. And I was, and so that is, I just sent the link to everyone. So thank you, Robert. Now you can start your check-in. And I will, and Ash is going to take those too. Yay. So we have a couple of scribes, which is fabulous. OK, I already noted also on the Google Doc. So issue 152, which you assigned last week. I'll work on that a bit more. I just pulled some initial thoughts. And then I'm hoping to get back to the formal validation ideas and other tickets. But that's about it. Great. Thank you for helping out on the repo. We really appreciate that. Next up is Justin Cormack. I haven't done much this week. But I think we should probably look to start the next audit. Yes, Justin actually is up next. Maybe you want to speak to that, as well as doing your check-in. Sure, yeah. We did our TSC presentation for Intodo. Because I think of the time frame, there was basically no discussion of what the TSC thought about the assessment itself or the process, which was not the way I was hoping that would go. I hope there will be a broader discussion at some point. And part of what they're supposed to do is there was some grumbling and complaints about how things were picked or who we picked or whatever else. So there are a bunch of people warmed up. But we can either just pick somebody and move ahead or let them bitch at us later. Or we can go and ask them to tell us who they think we should do. And then they can fight amongst themselves for now and then come to us with an answer. I prefer the latter. Do we want to officially go through, I mean, try and get some more time with them to go through the process? Yes. So I think that we'll do both things. So JJ has been trying to actually schedule time with our TOC liaisons at the same time and place, which has been a challenge. And then on the agenda is how do we prioritize security audits, as well as how do we organize ourselves with our TOC liaisons? Because we've been doing it via Slack conversations with Liz and Joe. Because they've been in the loop. We've been checking in, but we haven't had that meeting of the minds. And so I think that that will take some time, maybe as long as it will take to do a security audit. So let's just move forward with what we've been doing, like pick something and go. And then in parallel, we will formalize the process of prioritizing. Does that sound good? I think that's what you were suggesting, Kappos. Just Justin Kappos. Sure. Great. Do you want to do any more about check-in, Justin? I mean, the other thing that I would be interested in starting, we've got this issue around writing up the supply chain security document. I'll forget which issue number it is. Let's put that on the agenda for next week. We'll do a discussion. I mean, feel free to keep moving forward on the issue. But I think we want to do the discussion of the supply chain proposal, just so everybody has a chance to hear kind of about it. But I think we have some volunteers and stuff. I mean, I was volunteering. And yeah, we have a few more offerings. So yeah, I think just get started, reach out to Santiago, and then we'll formally discuss it next week at whatever stage you're at. OK. Justin Kappos, did you have any other wrap up check-in? No, I think that's fine. Super. Erin? Yeah, so just in an effort to get started, did a quick PR for changes to the identity and access management section of the landscape doc hoping to try and address folks' concerns about differentiating between systems that support and manage those things versus the embedded libraries that are going to be in every single application. So Robert, from your update, it sounds like there's some more fundamental questions about what the targeted point of the landscape thing is. So I'll probably poke my head into your issue and pull out and see what the right way to move forward with that is. Great. I look forward to reading that. Thanks for subscribing in, Erin, and to like, I think whoever has some sense of the landscape and how it would be useful if people could look at that PR and issue and chime in. And then we'll make a call in the next week whether it's ready for a discussion or whether we can resolve it offline. But really appreciate folks scrubbing in on that. And the next up is me. I uncharacteristically did very little with GitHub in the last week. And luckily, Brandon chimed in and did some GitHub wrangling and really appreciate everybody scrubbing in and picking up issues. What I have been doing is I think it might be cloud native. I'm not sure. I seem to have inherited a C++ client library that I'm trying to bring into the present and doing things like looking at like, oh, upgrading from SSL B2B3 to TLS. And what do we actually do if it's on a IP camera? What is the security implications of being on a cloud-connected device? So that's something that I'm learning about if anybody just in my non-SIG security world. But if anybody actually knows stuff about security on IoT devices, it would love offline DMs. And maybe we can, I haven't heard that it's a priority for the group. But if we decide that that's a cloud native thing, then we could maybe bring some of that knowledge to the group. Ash? So I chimed in on the logo issue last week. Most of them looked very nice. And I'm also this week I'm working on CFPs for KubeCon San Diego. Yay, what's the deadline? Friday. Friday, everybody should submit talks. Thank you, Ash, for bringing that up and submitting a talk. Michael? Right, so I missed the last couple of ones, trouble and other things. Trying to focus on the microsite now. And I think we need to make a decision at some point in time because we keep going back and forth in terms of should we continue down that route that we initially had with Hugo, whatever, or something else. So I'd like to get that stuff out at some point in time. Even if it's minimum, then we can iterate. But getting it out is my highest priority. Yeah, I would love to have an offline discussion about it if you want to pick a time that we both can make it and our remote colleague whose name I've forgotten. And we can just find a time that three of us can make it. And then we can just put it out to the group if anybody else wants to join in just so that we can have a live conversation focused on that. I'll go back to the rest of the select channel and kick it off from there. Super. Thanks, Michael. Lakshmi. OK. Hey. So I picked up issue 226, which is new members page. And let me send you all the link in the chat. There it is. So I wrote some things about what new members should do and what the whole group can help them so that they can get familiar with the team sooner and contribute and deliver and learn as well. So that was the whole purpose. And then I added some simple things, like first of all, their advice to join the Slack group and introduce themselves and then join the meeting, go through the repo, and keep an eye out for the help-wanted labels and issues. And then I also added one new thing. I don't know how you all like it, but since we are just suggesting, I just said every new member could be assigned a birdie, preferably in the same time zone. So these birdies can help the new members get up to speed and identify their areas of interest and assign them to the right beer group. So that was a recommendation. So I personally love that idea, but I think we would need a critical mass of buddies to be willing to kick it off. So I wanted to put a call out that if anybody is interested, would be willing to be a buddy or just as interested in this new member onboarding thing. If you could chime in on the issue, if we have at least four or five buddies across a couple of time zones, then I think we could kick it off that way as long as there aren't any big objections. So we'd love folks to chime in there. Jonathan Meadows. I'm in a really unstable internet connection, so I'm going to keep this brief. I've been doing a lot of work in GitHub, updating the threat and stuff finally, so I can send it to Justin Cormack for a couple of minutes, which I intend to do today. I couldn't hear you. Justin Cormack, can you chime in on what that was about? Or maybe you... Jonathan's going to send me the threat modeling work that has been doing, I think. I'm hoping. Yes. I'm going to send you some details today, tomorrow. Great. I would love to hear more about that. When you're ready to queue that up for a discussion, presentation, whatever format makes sense to you, just DM me or add it to a future meeting. I think that that's something that has come up many times in conversation. Yeah, and now I've updated it in GitHub, so that's when I'm going to send it to Justin Cormack. Great. TK Lala. Yeah, I missed a couple of meetings last meeting, so maybe out of sync a little bit. I was looking at some of the edge security thing. I think I mentioned a few weeks back how that plays role into this CNCF-based security as well. So I don't have much to report on that one, but it seems like it's quite relevant, no matter how you look at it, whether CNCF does it or there is a separate group called Edge under the Enix Foundation. They do it, but they told me they were not doing it. Great. Maybe we can have a little offline chat about that and figure out where it belongs, because I personally married it. I would be happy to contribute to that because I know a bunch of the people doing stuff. Super. Yeah, that would be great, but I think it's not wise to completely ignore that because Edge is playing a big role, big and big role, and I think in the upcoming days we'll be seeing a lot more. So much of the computing is kind of shifting in different directions as it happens usually in any of the evolving technologies. So I think somewhere we need to have a stake at least. There's also a lot of overlap with non-Edge stuff. So I think that people's priorities are slightly different at the moment. So a lot of the things that the Edge people are interested in will become more mainstream in the future, I think. So yeah, so let's take a break out and try to figure out a good, concise summary of that and whether even the three of us are aligned and then we can kind of figure out whether we're going to propose it as a CNCF security thing or whether it belongs somewhere else. So I think we're going to take a break and just in Cormac also with the TOC and our TOC liaisons and kind of figure out where it lives. Great, thanks DK for spearheading that. Peter Benjamin. Is Peter on mute? Peter's muted. Give you another minute to see if you can unmute. We'll come back to Peter. Emily Fox. So we are supposed to be having a walkthrough on conference shortly. We've got, we're kind of at a decision point and I updated the ticket, which was in last week's meeting notes regarding where we stand with the SIG Security Day. It's the issue 209 and the follow up comment. So after we get the discussion about on conference going, if anybody has a preference when we are another formal or informal, please go ahead and comment in the ticket. It will at least give us a better idea of what the community is looking to have. It's all I have for right now. Great, thanks Emily. Christian Kemper. Can you, can you guys hear me? I'm on a phone. It feels like the 90s. So the, there's not a lot of stuff to report from me, but I guess we will go over issue 165 later. So I can, I can talk about that. Great. Carlos, Carlos. It has internet issues. We'll skip Carlos. John Manerick. All right. I'm going to skip the people with difficult audio. Feel free to add notes about your check-in. We have somebody arriving at 1030. Kalia Young, who has as an experience facilitator in open space. So from 1030 to 11, we'll have her talk about open space and questions from the group. And then anybody's welcome to stay but not obliged to from 11 to 1130. We'll have the subgroup working on six security day, kind of figure out, like talk more about that format and come up with something. So understand that not everybody had allocated that time, but feel free to stay on if you want or drop off at 11. So, so in the next 10 minutes, I'd love to, if Christian, you're willing to do this without visuals. I can bring up this issue and I think it's a, we can have a relatively short discussion, but this has been kind of in the queue for a while and would love to, for you to just kick it off and talk a little bit about this concept. Yeah. Let me give you a little bit of background. So I work for Google for the people that don't know me on the identity and access management team. And at Google we have a lot of internal projects that use the Google Cloud, not surprising. And they have very strong needs in terms of combining various security policies in a good way. And we hear that from some of our customers as well. So if you are in a highly regulated industry, the idea that you need to combine multiple policies to have a desired effect is something that these teams are struggling with. And when we started thinking about that, there is really this notion of the platform team. So whenever a large customer like a bank or a healthcare company starts to engage with a cloud provider, they need to inspect what policy options the cloud provider gives them and then they need to decide how they can combine these policy options in a way that makes it possible for them to let their administrators that administer the cloud resources in a way that is, you know, compliant with whatever compliance registered in there are under. And so I was wondering if that is maybe another persona that we should pay attention to because that's kind of the platform implementer. And that is really a little bit different from the typical administrators that we talked about in the personas that we have so far, right? These are all administrators of a particular type of policy, but what these platform implementers really have to do is they need to have a kind of holistic view of the existing policies and think about how to combine them. So typically you need to have some notion of there needs to be a networking boundary that needs to be established. You want to somehow make sure that people don't expose services they implement accidentally to the internet without going through some form of a firewall, right? So services that get exposed to the internet need to be reviewed typically. There is a notion of making sure that if you have access policies, that you don't accidentally put somebody from the organization into the access policy. So what are the controls for that? And various things like that. And I think when I spoke about this a couple of weeks ago, there was somebody else that said that they are basically a platform implementer. And I believe we probably have other platform implementers on the call. So I want to open it up for discussion. So what are the expectations of the platform implementers? Is that something that is worthwhile to look at? If I could ask a question, what you're describing around, especially sort of policies and control, I would have thought would be more likely the responsibility of a security or audit persona rather than the implementer persona. Maybe both are shared. Are these different already? I think they are different. So what we have seen is that these platform implementers basically implement business logic, so to speak, on top of the existing cloud provider's policies so that the developers inside the organization are more constrained than what the cloud provider offers. And I suspect that these business logic then gets reviewed by a security reviewer. So the security reviewer works in collaboration with these platform implementers to make sure that you cannot violate the security policies of an organization. So do we have any platform implementers on the call by any chance? That was my last job. I was actually both a mentor and security. So what are the challenges? How could we as security C&C have raised awareness of this issue? So there are sort of two or three versions of this. And I guess to speak to not Google, but if what we're looking for is something like what AWS put out in terms of the security adoption framework, where they say, here's the core things you need to know about logging. Here are the core things you need to know about network configuration. So that's like one approach. Another thought would be to structure it by the most common really drop-dead, must-do onboarding things in sort of a checklist format like CIS initial checks. So there's a couple of those. What would tend to happen is the security team would say, here are the top things we're worried about. And then platform would sort of have to figure out how to implement them. But then security needed a checklist to verify against. So those are the, you kind of need, it kind of ends up being used by both players, a best practice checklist guide. So I'll just speak as a participant here. I've been involved in like SAS, creating tools that are designed as a SAS API. And that sometimes you end up with situations where if it's on top of a platform, a public cloud platform, then sometimes you don't have the controls. You can implement anything you want, but you can't give those controls to your customer. So that's the thing that I see sometimes the, you know, like if you're using somebody else's APIs, right? How do you then like delegate, like make it so that you can call an API that does this on behalf of your customer? Yeah, exactly. So we sometimes think of these as, you basically becoming an internal SAS provider, right? So these platform implementers implement the SAS platform for their employer, right, their organization. Often this comes down to implementing secure defaults into the platform and the services. And that's something that we ended up doing before and effectively sending that out to the rest of the group. So it's not so much coding. It's just utilizing the same API we get from Amazon and just implementing base level of security for other application developers to use. Yeah, security falls is certainly one aspect of it, but it's also sometimes that you need to make sure, I guess security falls addresses that mostly. So I don't think you need to make sure that multiple policies don't interact in a surprising way. Sometimes you may have the expectation that something is secure, but there's some other policy that is not set up correctly, but security falls would address that as well. Right, or something like, there's always workarounds. You can always write code that does this, but I think the platform will have the generate and access key that you have to do in the UI or on the commit. Like some way that you have to do with your superpowers, right? And it's then if you want to provide a key to your customer, you have to be like, oh, now I have to build a whole subsystem that is exactly what the underlying platform has, except that I can't build a multi-tenant API on top of their thing. So that's where you can say it's like, it's a need, right? But of course you can serve your own needs, just compute and storage under the hood after all, right? But those are some of those things where like, well, you know, it's sort of like, well, you can do anything as long as every customer gets its own instance of Kubernetes. Like, maybe you don't want to do that. So that's been my experience where sometimes you have to, it feels like you have to like build a whole system on top of a system that ought to be providing that because you want to delegate part of it. Exactly. And so what are the aspects in the underlying system? Not even the cloud provider, obviously, we don't have control over that, but in the CNCF, we could help make that easier, right? So there are some knots missing to allow you to expose something so that you basically have to reinvent the wheel that is already perfectly working in the CNCF context. So how can we educate the CNCF to make that easier? So is there anybody else who hasn't spoken, who has experience as somebody with this need? I have built APIs that run in Kubernetes and Google Cloud in general. And usually when I build an API and give it out to users who consume it, the only thing I give them is a service account to access to IAP permissions. So I was wondering if there are any minimal things or minimal permissions people would need to consume those APIs or services, maybe you can note them down and start from there. Yeah, I think that's a great idea. Christian, would you be willing to take the notes in this discussion and write some user stories on the issue and then we can keep moving forward offline? Sure, I can try that. Regarding services, I think the problem that we have there is that Istio is not part of CNCF. Istio really introduces the service concept, right? But the Kubernetes service concept is somewhat weak. It's basically a load-balanced endpoint. Whereas Istio has the idea that you have an endpoint that you can impose policy on with Envoy, which I believe Envoy is CNCF, is it? Yes, well, so it's a CNCF project and I think that what we want to do is look at what Envoy is doing in Kubernetes and Istio and LinkerD or whatever. And LinkerD is also a CNCF project which has that kind of, probably is addressing this kind of a need. And I think up-level a bit and be like, as cloud-native security, what are the things that are the, what's the use case that is implemented by some of these things? Or maybe he is missing and everybody's, you know, a lot of the things in the security space where we're finding a lot of the projects are replacing something that everybody is just writing custom code and scripts to do, right? And so that's kind of this exciting, emerging cloud-native security is that we're actually starting to have some common tooling and services that address needs so that everybody doesn't have to build their own specialist network. Does that make sense? Yes, yes. Let me take a step at that. Super. Thank you. So now, Kalia is joining us. I don't know if she's arrived yet. But before, while we wait for her to arrive, are there any announcements for the group or upcoming events that people should be aware of? I just want to give everybody a chance to chime in. There was some discussion on the Slack channel that some people are coming to Oskon next week and might want to meet up. Someone should probably open an issue. Yeah, actually, if we can add a going to Oskon, what we usually do is put a a thing in the notes so that if anybody's on the call, you can chime in in the notes of the chat and so people can know each other. If we have at least a few people, then usually we put up an issue and somebody volunteers to create a meeting space. And anybody else going to Oskon? I am. And I think Lorenzo said that he was as well. Cool. So you can wait to see if we have more people or you can decide that you're both going to meet up with someone. I don't know who that was on the phone. Who was the Oskon person on the phone? It was me, Emily. Great. So now I just know who you are so that if I hear Oskon, I can point people in your direction. No worries. Super. Any other announcements? Upcoming things? I'm just checking the questions. I'm just checking the I just heard from Kalia that she's on her way. I will give a little bit of an introduction to this. I'm here. You're here. Yay. I will give then a part of the introduction. You can give the rest of the introduction. So I know Kalia because I attended this conference called She's That She Used to Do It Ages ago because there were apparently fewer of us, but actually there were a lot of us of a non-male gender doing internet stuff ages ago. And that was a FAB conference that maybe still goes on. But because of that conference, which is also an unconference, I learned about the Internet Identity Workshop, which I go to almost every year. Which Kalia invited me to many, many years ago when I was like, I don't think I have anything to do with Internet Identity. And then it turns out that actually it's a need I have and many of my developers have always had. So it sort of overlaps a little bit with Security Space and the SIG Security Day folks. We had a side meeting where they were experienced with the like DockerCon hallway track kind of unconference thing that was going on there and some open space things that I hadn't experienced. And so I'm inviting Kalia to talk about how the kind of conference style Internet Identity Workshop food camp kind of thing that I've experienced, but probably couldn't explain as well as she could. And so she said she'd be willing to come tell us about how that works. And then we can we'll talk about what we're going to do of all the options. Thank you, Kalia. Please finish your introduction a little bit and then you can dive in and I will stop sharing our agenda. Upsweet, you are not on audio. You need to unmute. Sorry. All the buttons. Like Sarah said, I've been I've been designing and facilitating interactive events for professional technical communities for 15 years. I I run, like she said, the Internet Identity Workshop. So I'm also a subject matter expert in that field and like in September I'm going to go speak to the World Bankers about all the identity stuff. But I also have throughout that time worked with other technical leaders who are like, your conferences are cool. Help us do one for our nerdy topic of choice. And so this is me explaining sort of what that what what I do and what on conferences are and and then we can talk more about what you guys are thinking about, too. So here is like this grid of a typical conference, right? Like we've preplanned everything. We know where it's all going to happen. And you end up with this dynamic where you have like the boring panel and the hallway refugees and like we're out of here and then you have the cocktail party. Woo! And so we end up with this like sort of in these two extremes and I like to talk about on-conference methods as being more more less organized than talking heads on a panel and more organized than a cocktail party. It's a whole range of methods for supporting interactions between people that fits in between these two extremes and therefore has some benefits to a sort of richness and aliveness that events can use. So the method I use most and I'll walk through is open space technology, but there's many there's other things as well. So with open space technology you have an open and a closing circle. This is a circle from the Internet Identity Workshop that I lead and in the middle you have agenda creation tools. And these are blank pieces of paper and markers and what folks do is they come into the middle and they're invited to name topics that they would like to share a presentation about a burning topic that they want to discuss with peers, a problem that they're trying to solve and it's very open what people are invited to put forward and whoever calls this session is this session like host and they are the ones who are naming it and they get to decide where it goes on the agenda. The other thing that happens when we're in a circle is there kind of rules of engagement for the day are outlined and these are whoever comes are the right people whatever happens is the only thing that could have whenever it starts is the right time and whenever it's over it's over and part of this is to support people culturally breaking out of the default norms in meetings where you stay if you're bored and you don't want that in an open space because it brings the energy in the sessions and rooms. You want people who want to be there basically and then well the other thing is this looseness it's not so much looseness on time like there is a time and space orientation but you also want to help people go with the flow in terms of not it's different and this is the other thing that happens when you have two feet motion and responsibility if you're not learning or contributing it's your responsibility to respectfully get up and find somewhere that you will. This is also what I was talking about the energy thing about people not getting stuck and the butterfly and the bubbly represents people moving between sessions and I'm not feeling like they have to go to the space to get it on the wall but they're still sitting down so all of the men need to listen to each other instead of running at the wall to get it on the wall. Once everybody has announced their sessions they get placed on the wall in a time and space so this user-managed access one is in space I from 12-1 and that room has a projector this is what the wall is like as people are kind of creating it and then this is without people in front of it and the thing that is here so then breakout sessions happen so each of one of those sessions is in a time and a place and people go off and do their thing these are happy white boards from the session so open space technology is to support documentation so it's like a system for getting folks to document what happened at the sessions and those are then compiled into a book of proceedings that then supports knowledge and sharing and people being able to convince their boss next time that they should go to the cool conference more happy people nerding out doing sessions happens in outcomes problems get explored relationships are built problems can be explored to the depth they need so one of the things that can happen is you can part one and part two on the wall and keep going if you need to because there is this flexibility of time and space it's not over until it's over right unlinkly convergences occur creativity is unleashed here's some other methods that I often work use with clients this is the spectrogram where you're inviting people to array themselves on a spectrum and you interview them like Oprah about why they have their opinions about certain things there's a fishbowl sometimes I call that an unpanel a key feature of the internet identity workshop and the events that I like to work with clients is that people eat together it really is a fundamental human thing and it's good to support community maps or something that I often when I work with clients support them making here's one that I got my internet identity workshop to make in an hour it's got 400 post-its on it from 250 organizations that they participate in and then speed geeking is another format that allows that's really great and technical communities for like demos there's sort of like five minute demos done and distributed tables around a room repeated over an hour so that people go to different stations to see the demos that they want eating together again here's the closing circle from she's geeky like Sarah mentioned another one from IAW so this is the closing part of the day and we like to a good practice that we do is to give gifts to it's like open we call it open source gifting it's like the gifts are in the middle and people stand up and and honor people who did good things in the community or at the event itself so this is a way to sort of think about the orientation of a non-conference day you have like registration and breakfast you converge together in the opening you diverge for however many number of breakout sections you have and then you come together again in a closing circle this is just a little bit more not quite theoretical it's how I think about the facilitation practice so if it's the shape of the the shape of the energy of the people that were gathering together in the event is a tourist that typical when you have a speaker at the front of the room or you have one facilitator and you're holding the space for the energy in the center and everything's going through the person in the middle holding that space and for an non-conference what you're doing is you're holding the space for what's going to happen at the edge so that it's supporting more self-organizing like there's the wall and there's the opening and the closing but within it people are more creative everything isn't having to go through that like central bottleneck of control so and then these are two cards from the group work stack which is this pattern language for meetings that are really alive and sort of at the core of these methods are hosting and holding space so so that's sort of like open space plus some other un-conference methods and when I work with clients I typically work with them to support them they know who they are as an organization and they know what they want to do but what are the goals that they have for the day and then I typically work with them to support a good design for the day and potentially facilitate the deadline for the day because open space is really easy if you follow the instructions but some people want to do extra and more things and fitting it all together in a way that really has a high probability of success that is easier when you've done it 200 times I'm happy to talk through anything I shared or understand more about what you guys are doing we have 10 more minutes left for the bigger group and then we'll have a half an hour for our small event organizing group so I want to open this up to especially for people who have not experienced this there are no dumb questions if you have a question probably somebody else is like I don't want to ask this thing just ask some questions about how does this work so I guess it's only for face-to-face is that right or is there a virtual version of this so there are people who've developed open space technology the software version and I've actually seen some people do this experiment with maybe trying to do it with zoom but yes the practices that I put forward in the and on conferences are generally about the face-to-face yeah other questions maybe a dumb question here as you said why is it called on-conference there are a lot of people they are going to be obviously in this group and why is it a on-conference you call what you do whatever you want I have no attachment to the name the term arose because people were organizing these events that were face-to-face but didn't have pre-programmed pre-programmed sessions like pre-programmed like who's talking about where what in what room so these break out of that mold because they're less organized than that they're supporting participant driven attendee driven content created lives the day that it happens so does that mean no preparation needed and no real pre-objective was determined so that's a different question so yes super good question so it's really and I missed this and what I was presenting so it's really glad it's coming up now which is it's really good to define why you're getting together the name of the day and the invitation about what you hope to cover is a really important thing to do because that's what's going to get the right people there so that's something that definitely is because no one's going to come if they don't know what you're going to talk about right instead of selling it as we know who's going to talk about what in which rooms you sell it as here's what we've identified as a set of issues that we're all exploring together and we're not really sure what the right answers are yet I think one of the cool things about these methods is they really support those on the cutting edge of an industry being in a peer to peer learning environment because they're all experts in some piece of it and they're trying to learn it from each other right at the edge of whatever industry that they're in and this supports that happening really well so the other thing that we do for the internet identity workshop is when people register to attend we ask them what they want to present about what they want to learn about and what questions that they had and we put those up and we say these are what people answered when they registered they may or may not happen but at least you're seeing what people say they want to talk about so it'll give you sense whether some of those things resonate with you and if they do you could come to and you'll find the people who want to talk about them here because these are things they named when they registered and so sometimes there's like I've been to somewhere there's like themes that are prepared ahead of time like what's your experience with how much framing you know and like how like tightly and loosely that is so I think theme so I think that in I think that I mean okay you can name themes in your creation of an invitation I think with under a thousand people there's no need to do more different like the sort of the max number of people you can use this for anyways I've thought about how you could have many on conferences inside 2000 person conferences and then you're sort of like being like hey all the people want to talk about acts show up in this room at this time and we'll do this on conference thing for three hours but that's different and I definitely would not have like rooms that have seems I mean one of the things that's important about open space is that you have as much room there is no voting things off the island either so when people name a thing you let them have a meeting there isn't like oh only two people want that so you can't have a you make rooms that aren't exactly rooms so you name spaces and hallways and you you take your lunch room and you make tables spaces so you work on having really expensive space not just just the three formal rooms right it's like the three formal rooms and the lunch room and like those little nooks over there they're all potential meeting spaces and you the whoever comes are the right people is like those three people who want to talk about acts you're going to have the most amazing conversation that they could have that day and that's great because that they may be so early that they're like two years later that's like taking up everybody's time but they sought first and they had the space to connect and you know do their things so I hope that answers the question about well that's super helpful for me other questions that people have before we break is a bigger group and break into the smaller group and I just want to say that I do like the open spaces format and an uncomfortable format and I think it given the coupon sometimes feels like a very structured thing in terms of the talks and I think I would be in favour of having that kind of thing for a free event because I think it would give it a more sort of easy for people to get involved with format in a way that the coupon feels quite exclusive sometimes in terms of people not being able to get talks accepted and things like that and it being quite hard to find ways to talk to people sometimes and if you don't know how to do that I would be happy to share that with you if you have any other comments or if you are not if you don't have time to be part of this security day sub team please chime in I just wanted to say my first I was a little bit apprehensive I had to organise a large conference and my co-organisers suggested but it worked surprisingly well it worked so well because we have all been to conference where really the most important thing that we went to was the whole white track and this is basically a whole session that is a well organised whole white track and it works really well I just wanted so for people that are a bit apprehensive if this works I just want to let them know that yes it does all right so we will break our security meeting and thanks everybody for participating in your questions feel free to add questions in the notes if you have after questions I think it will be we are going to have kind of a discussion today about what is the conference format and what would it be if we did that and then we are going to circle around and be like what are we actually going to do as a follow on so there will be a little time to chime in if you have some thoughts today feel free to shout out on Slack all right so if you are not inclined to stay for the next half hour thank you for coming and we will see you next week and Kalia and our subgroup will stay on thank you Emily so should we just take notes Emily and the Google doc for now and then copy them into the issue I think that is fine fine or I can just pull up the issue and just write the notes as we go if you want to screen share the issue like you did last time that would be fab although in the Google doc we can all help take notes which means that we can I will just do it in the Google doc super and then I can screen share that so Emily would you volunteer to kick off you can just say who is represented here or like who is in our little sub team who is our organizing team while I screen share the notes so it's myself Emily Fox JJ and Michael do you see who is currently out on vacation and give me a sec I got to pull up the other people Amy as well and Emily Ruff Jennifer okay so Amy do you want to just go ahead I was going to say like one of you mention what kind of roles we have on our organizing team so that Kalea knows kind of the people the type of people we have kind of put this together yeah so I'm Amy Scaverda I am the program manager over at CNCF and I will be joined by Emily Ruff who is our events person so consider a staff we also have Jessica Jennifer Jennifer who is also experienced with organizing events from Cystic so we have like Emily me JJ Emily JJ Michael who are more technologists we're going to be talking about like what is the content that we want to have happen right and then we have some a wealth of awesome experts who are going to help like make the thing happen with the logistics and all of those important things cool so Emily I'm going to pass it to you to like think about actually where's our issue yeah I'm trying to find it yeah I wanted to kind of kick off our goals because we have it somewhere I'm good 209 209 yeah that's the second number okay I'm just going to click this and then edit 20 so the whole like the whole point of us doing the security day is to allow a space for people in the cloud native security community to get together and to discuss problems potentially work on resolving some of them and really kind of increase awareness about security and cloud native because it's still very young cloud native is still pretty young but security is even younger because we're always playing catch up so the whole point of the day is to get everybody together and allow them the opportunity to have conversations that are vendor agnostic platform agnostic and very much the open source and cloud native space because right now there's a lot of vendor security days and they usually end up being tutorials about a vendor product about how to secure cloud native compute and that's there's more to security in the cloud native landscape than just vendor products there's other problems there's data management problems there's user identity problems it's pretty extensive so we had talked originally about doing a more formal forum for that but we're not sure Michael and I have had success individually in the past engaging in hallway tracks or other open space like conversations with people about security that's how Netflix got feedback to do the bug bounty program for container isolation and containers it was actually from a hallway track open space opportunity that they engaged in and we want to allow that kind of innovation and those conversations to occur so where we're at right now is if we do formal the whole thing should kind of be formal and we're running out of time to do a call for proposals if we do informal whole thing should be informal how do we best manage that given like very specific security related we obviously need to correctly craft the invite and get that sent out that's kind of where we're at yeah yeah and I think that there was still like if even if we do the informal thing that maybe we do an invited kickoff presentation or panel there's I think that idea is still floating around right like should we have some kind of anchor draw or is that going to just mess everything up okay so so I think that so I am not so when I this is great to have okay the goals for the day can you scroll up a little bit no and the get have one yeah there right so this is you already got like this is really fantastic right like this is the goal you have is to bring together the communities that like these are all and you've got potential topics right and you have even like impact this is fantastic so I would say that you that it would be good to move towards using open space technology to support those conversations so I often like when I also will put different things at the beginning or the end or the middle depending on what the goals and needs are right and I think that that's where this is where we're at with this conversation and I feel like I don't quite understand enough but um yeah so maybe one way that you can one way that you can provide anchoring for people is to to sell who signed up to go already right so this is this is the it's it's mapping into the who's going to speak question that people have and you go these people are participating they're coming and they're probably going to say interesting things because you know them from blah blah blah blah blah blah but you're going to find out when and where they're going to say anything at opening circles so you better be there right like that's how you you should take that kind of thing that the signaling people are looking for you signal in a similar way but you go but but the agenda gets created live so that's where that's how this is different um and I think um you know I don't know enough about you've been to speak speaking Sarah I don't know like would it make sense to do that in this context watching something in the middle of the day but I don't understand well I think the the challenge is right that there's a there's definitely a large number of people in this security thing who have been to conferences or at least the hallway track at docker con who are like oh my god I'm so excited about that thing right and then um cube con which I don't think you've been to is very high production value orchestrated it's giant right like you don't even it's hard to even find somebody else like I've been like oh you are cube con I had no idea because there's thousands of people and so it's incredibly orchestrated and there's like you know everything is like fancy and like so people who have signed up so this is the idea is that they have these days before cube con right yeah tend to be vendor driven things although there's like some exceptions because like all the Kubernetes committers can get together in one place and I don't even know what they do because I haven't I'm not a Kubernetes but like so that I think the question I have is like how would you prime the people who are coming expecting for this highly orchestrated thing right they know that that's what they're going to get on Tuesday through Thursday right yes and they need either have a need for internet security right for yeah or they're like or they're like a security expert right and they're like hey this is for me I'd like to do this thing on Monday but they've never experienced an on conference right how do you prime them so like they might just sign up and be like I don't know what this thing is but I can come on Monday or they might just be like I don't know whether I want to come to this like patchy-feely hippie-dippy thing but you don't I mean you can call it whatever you want that doesn't sound hippie-dippy I think the description you have already works I have a bunch of language on my site that I work with clients like often I get clients to write up what how they think they should describe open space to their audience and then I make sure that they don't say inaccurate things um well I guess they um the the thing that I like thinking of some of the people who asked me questions offline yeah this they might be like well I'm not sure what I have to discuss so I'm not sure I will come right right like to have them realize that it's okay to just show up even if this is not far camp right so part of my why I call them on I have a blog on conference.net and you know one of the issues that we have had is that the folks who made bar camp copied it from who copied it from open space technology and then left out critical design elements and then forgot to attribute it what they did back to the source so people could Google find the source and decide whether they've made a good copy so we had a bit of telephone happen in the community so I think one of the things is to emphasize the opening well I mean it's hard because it's a Monday so you want to emphasize the opening but not to the extent that people whose flights arrive at 10 a.m. feel they can't go like yes show up you can still stick your thing on the agenda at noon it's fine um but you want to um and you want to emphasize the invitation you want to get people who you know who are known to say yes I'm going and and even to have a list of of the topics like you guys this is already a great list of topics and I mean the IIW list is so long um but it's a learning too like this question of what do you want to learn is put forward so I think I think you frame it as like creative and interactive and like one of your people before said is the structured hallway like it's a really well organized hallway track that's like really good because they are not lost because people have these signaling mechanisms in with the wall of saying what they want to talk about and when and where so you can find each other as opposed to being lost in the hallway and hoping it randomly happens so basically definitely like one of the successes that we had with the Docker hallway tracks is that they had two to three coordinators actively working to organize where people meet at a specific time like they everybody at what it like let's say one o'clock all showed up at one meeting point the coordinator said this space is free go here and like had that written down like this discussion is happening over at this space and made that available for anybody else that wanted to show up and have that conversation okay cool this other than the opening facilitator there is no coordinating needed by anybody it's a lot okay it's a low it's very low like the what like I was saying like you're holding the space at the edge so people go do what they need to in the middle and they're the ones who are empowered to like with open space you can add a new session to the wall right and and they're also hopefully you can be in a space where there's like space flexibility you can accordion it out so either that's like a really large room that can be divided into lots of like into subspace like with tables and stuff or you do have breakout rooms which I recommend but like the whole thing isn't just breakout rooms one that leads into one question which is Emily Ruff it was doing some research on the space so there it may be that we are limited to a classroom setting large room how many people do you think are coming 50 to 100 is our guess right so we're going to like I think so yeah so we were thinking of like picking 100 limit basically based on that like probably the number of people who come to these meetings is around 50 and then we usually have like lots of people who like might just come right who are part of our regular right calls and stuff so the question is so Emily Ruff is trying to find out whether we can actually have more of a flexible space right could we have round tables could we have like additional side rooms and what are the options but what is sort of the pre-format is this you can't do anything other than classroom seating probably use wall space so I'm going to try to figure out some things to create side spaces but that seems pretty limiting to me and so I wanted to just ask you what you could do the trouble with open spaces you need more space per person then you have in a classroom style right you need enough space to put all your people in I mean I have done open spaces where you have to you know there is an auditorium and that's the only place everybody is fine you figure out but so another this I'm reading these notes in this a kickoff versus not I think that there's trade-offs in that I think if you have a charismatic person speak at the beginning it also ends up like skewing everything and then people orient to the speaker and not necessarily to what they want and I think with what you're talking about with this type of community my inclination is to just go into creating the agenda with the people who are there another thing that I do so IIW opens up with like kind of icebreakers for an hour mind you we're running a three-day event using this so like an hour of talking at the beginning isn't cutting into our time together because we're there for three days um but you could think of I mean it could be that for the first half an hour we do some some collaborative exercise that gets everybody talking and mapping problems or I you know I don't know enough yet but that you could do something where you do something together then you do open space and because you've seated the field of the open space with whatever the thing was you did for half an hour together um yeah I've also seen like spectrographs work well for that like you know when I was a presidential innovation fellow we got together with all the agency people and we like they would ask a provocative question right then everybody would be like you know like I mean everything from silly like you know Android to like serious ones like do you think technology can even help the government like fascinating and then you'd ask people on the ends to kind of talk about why they gave those answers right and so that's totally um one of the formats in the in the conference toolbox um Amy do you have um questions we should be thinking about well we think about the format like in regard to cubecon and like stuff we'll have to prepare and no nothing comes to mind I mean realistically uh I think just being able to get the room set up effectively for um open spaces but that's easy to do um you get one room that's part of how this is working because that's the space that we have so don't try to be able to make like big shouty things is my only kind of real request but nothing nothing really comes to mind although Emily said that we might be able to like leak out into the hallway outside the room or exactly um I wouldn't I I wouldn't necessarily plan on being able to have like you know uh like dividers in the space that sort of thing right yeah but yeah we'll be able to have table like dividing up tables and chairs breakout rooms is probably not going to be something to pursue except that we were I don't know if we I haven't caught up on the slack channel but like if like one of the vendors that has a um those like lounge areas for willing to participate I don't believe the lounge areas are going to be built at that point so um I'm kind of trying to steer away from being able to plan for that um again Monday is always a day where like things are getting built out it's crazy um so how how big is the room that you have I'm not sure on that one um so I think the options were 50 100 or 200 right classroom style like that's the limit for the big one the 200 person to have 100 people yeah and that's sort of pushing it but yeah you can do it well I mean we could also just say it's only 60 people like we we can limit the number of people if we need to yeah yeah so we can you know like if we can't get the 200 person room we can say 100 person room but will only allow 60 attendees or something or 50 attend yeah I mean I would push for the biggest room you can get um and the other thing is to you know don't put tables in it put just have chairs so you put the number of people you have in the circle and then you would have um like breakout spaces in like corners kind of and then you would have like sort of you would label the breakout spaces around the edge of the room so you just have different spaces around the edge of the room noise is going to end up being an issue but you just live with it if the conversations are worth it right yeah so we'll have to we'll follow up with Emily Roth about the flexibility of the space arranging and you know what kind of divide if you can have I mean if you can have a 200 person room next to 100 person room you do the opening in a 200 person room and you have you put the agenda in the hallway in between the two rooms and then you have breakouts in each of the rooms that would be if you could swing that really good yeah that's actually an idea Amy whether that is probably not possible we are already over subscribed as far as rooms like I wish I had better answers except that everybody wants to be able to do things on this day yeah I can't wait until it sucks the un-conference into the actual event because you know what people really want to have their meetings they yeah anyway how big is QCon? our last one in Barcelona was roughly 8,000 okay so another conversation for next year is Kalea's plan how to do un-conferences inside giant conferences so we'll have to see whether this goes and whether the we have no control maybe might but we don't I don't even have any control over any of that but I'm happy to take it further up so we're doing a little tiny experiment a tiny experiment that's good we have a little community you know where is this happening? San Diego when? November you have so much time you're going to do so great so Emily do you have more questions or things we should talk about questions on Kalea's expertise on format trade-offs so I think the other questions that I have is some of the stuff that we had talked about in the group was potentially having moderator in some of the larger conversations there are topics that get a lot of attention if for whatever reason I don't know somebody pulls decides to do a discussion or get an engagement on insiders insider threat and organizations with access to your full cloud project for instance if you're in Azure and you've got a system admin what are you doing to make sure that your system admin or that can commit code to your production environment whatever how do you make sure that they have the least blast radius say that's one of the topics that are proposed and there's a ton of people that are interested in it and it's a popular topic we had potentially tossed around the idea of having a moderator to ensure that the conversations one aren't overtaken by a vendor two that they're staying on track and having that conversation and potentially taking notes for like things that were discussed other items that were potentially brought up because the SIG security group would like to be able to provide some of that content back out to the community in a cognitive fashion like they're coming to us looking for cognitive security guidance being able to record some of these conversations or some of the notes from the conversations would be great just as helpful information or references for anybody in scope this is all part of how do you do documentation set of questions if documentation is really important you need to set up a really robust process for that you need to remind session you need to have basically a notes coordinator you need to have pick define a method that will work well publicize it well push people during the event to do it and then take that and like bundle it all up into like a pdf if for no other reason then people can show it to their boss and go this is what I did right yeah so that's that's one piece of it and that's like a whole sort of like little system within the event that you need to create the other piece about moderators so if you knew that you wanted to host a session and you didn't want to be the moderator then you could invite one of your friends or someone else to do it the thing is that that open space is really self-regulating in the sense that like okay so that people might name a conversation topic like insider threats and you might have three or four different versions of or two or three different versions of that on the wall you don't go there is no convergent process like I've seen this happen at some badly designed conferences where they're like no these things are the same let's jam them together and then you know like a super big session with too many people like people are frustrated because the topic that they put forward was slightly different than this other topic right and that you're so that I would it's like you have a documentation process you support it happening if you really feel like there's people who want to call topics but don't want to be their facilitators you maybe look you know like Sarah you have a little group of people who's like if you want to facilitate a person I'll help you right like but your community is pretty I mean my sense that's sort of like you could do that but I wouldn't worry about that I think it's like the person who's calling the conversation is the the cider of what they meant by the thing on the wall and the session can go the direction it's going and if people don't like it and they want to have their own version of the conversation they put it on the wall they do it does it make sense yeah you're also documenting it all so you could see at the end of the day all these three different sessions three different directions but we have all the notes so so last question that I kind of have on it and I know we're running out of time was I had brought up previously about in a different call that some sessions that I've been to have operated under Chatham house rule is that something that should always happen at an unconference or is that something that like is recommended or is there a different way of doing it it's really it's culturally dependent I mean if you guys want to put that on the wall and say you're not tweeting who said what because we want to have a safe space fine but I it's really just it's totally a choice that could be made really reasonably but it's not I mean I think that we wanted to there was some interest in creating a space of of like I'm going to tell you about this hack that I experienced at my company right where you don't necessarily want that documented like people would have to have that pre-approved to like I'm going to share how my company was attacked right so so but I think that everything is to make it so that people are given permission to say their own rules of sharing right like so like I'm going to tell you about what happened sessions like the person convening it says I'm only sharing this with you we're writing two sentences in the notes and or I'm checking 100% before the notes go somewhere the public that strips out my identity and any identifying information of the company like these are all things to think through and they're totally doable because it's a really flexible format but you can think about what you need to do to support people safely sharing the things they want to share I like that idea to like kind of like give people templates for like if you want to have this kind of a session you can declare such and that kind of gives permission but then maybe the default is everybody take notes and can tweet like or whatever we can set some ground rules yeah I think that's all the questions I had we'll need to obviously update the ticket and I'd like to get some more feedback from the group about what they want to do yeah and I think I don't know what happened to JJ he must have been called out because I know he was planning to come to the second half but I but he's had experience with these kinds of conferences before so then we're going to he's going to schedule the next meeting where we're going to be like what do we want to do actually and then we can let you know if we have other questions or if we can we decide it's going to be a conference thing as we're kind of and it seems like we're leaning towards whether we might invite you to be involved we'll see thank you so much for sharing your experience with us you're welcome and thanks Emily for taking notes and Amy for joining us and yeah on Slack much appreciated and I would recommend I'd recommend well I would feel like I think Sarah would be a great facilitator for you guys but I would recommend like Sarah or you can hire me or you could find an open space facility I lean I don't know I'm a special person because I came from facilitator land and into technology like I can bridge the two whereas some facilitator people facilitate typical people and they do too many rainbows and flowers and the nerdy guys get frustrated so anyway anyway you'll do great alright thanks bye thank you bye