 Good day. Hello Vinay. Hey, Matt. Good morning. Good morning. How are you doing today? Thanks. How are you? Pretty good. I guess all things considered, right? Yeah. No, by the way, great job on all the coordination and picking up and running these meetings. You're doing a great job. Thank you. I appreciate that. Happy to help. Yeah. As I believe Dan and others have noted a few times while we find our feet to chop wood, carry water and the rest of the house. Right. By the way, do you have a chance to know who added the, I guess, the open item for discussion today? I don't see any PRs, but I see this Actually, can I confirm if my screen share is working? I've never confirmed anyone if Zoom lets me share a single app. Just so How do I do that again? Share. There we go. So is my browser window rendering now? Yeah. I mean, it's the meeting notes document, yes. Perfect. Okay. So I'm using Zoom properly because someone added this one here and I just moved it down and formalized it. I would like to. I would like. DoD exotic security controls for Kubernetes just because I saw this, but no one put their name and there was no update there. So I just want to know how to call out or offer to step up and cover this topic when we get to it. Yeah, we'll find out. And if not, I'll just shelve it till next week till someone decides they want to raise this topic specifically. Right. What was the topic Matthew? Good day, Dan. Here, I moved it from the top section of the document, which was sort of planned future meetings and moved it to today's and this whole highlighted area is pretty much the addition wrote slash verbatim. And someone just added this, but I didn't put an author or anything there. So I wasn't sure whom to offer to discuss this. I wonder if that is the individual who was looking for DoD compliance feedback, a few meetings back. Is this something that should go here in the discussions or is this something more or someone would file a ticket or something in GitHub and then use that channel to get this discussion going? Right. I'm not sure if we have the subject matter expert to bring the bear. Okay. I'll just make it an open item. And if anyone knows, then they can chime in during the open floor. And if not, I'll just leave it in the document and no one chimes in for next week. So I'll just remove it. That's good. Okay. I'm just going to turn off the screen share for the moment. Hey folks, really quickly. Are there any questions on the Harbour Review that's happening? I mean, I don't see Andres here. I see Martin. No. I didn't see anything on the agenda either. I'm just wondering if I need to be here or not today. Oh, there's CNC of Harbour there and someone just said hello, but their mic gains a little low. Oh, you can't hear me? No, no, I can hear you. Someone else. Oh, yeah. Morning afternoon everyone. Folks are still trickling. I'll wait them to ask my question later. Just in case Justin or Andres show up. The other Justin, by the way, not Cormac. I work with other Justin's. I'm used to the Justin confusion problem. So Michael, unless, you know, there's business, particularly covered scheduled. The assessment flow doesn't really weave back through, you know, run a business meetings. Too much. So that's been the pattern. I'll just jump out at that point then. Thank you Dan. Appreciate it. Okay, so it's about five minutes in. We're at roughly critical mass. If there's anyone that's new here, this is your first meeting. I just posted a link in the chat to our attendance. So please feel free to put your name in there. And if you have no update or you don't want to be called on, just please put quote unquote no update next to your name. And if you'd like to introduce yourself or if you have a topic you'd like to bring up, just append that to the side of your name. And we'll get to you during the introductions. With that being said, I first things first, I need to ask if anyone's able to volunteer as a scribe slash meeting minute taker today. I'm going to go ahead and silently step in and volunteer. And people may be late because zoom now requires account registration and a bunch of other bullshit that makes me think we should switch to a different provider. Sorry zoom requires registration now. Yes. I just see that I, there was a thing, the news, I think it was some local stations a few weeks back on people pranking zoom calls because they were unauthenticated, and they couldn't kick the person house was like ventrilo calls, like 10 years back. Right. But you know, like the client software for zoom has a bunch of bugs and problems and they've done a bunch of really poor things from a security posture that makes me think that like having a group like sick security for this ENTF using zoom sends a poor message. So I think we should, we should consider if there's something else we could use. The only ones with which I'm versed or at least familiar is WebEx and slack, which I believe we already have slack, but I don't know if we have to pay more come up with funding for video chat calls. That's a point. Do you want any chance, Justin, if you don't get the chance I could do it but do you want to throw a maybe an issue in the GitHub page there and I'll add it to the next meeting and at least address it to the best of my ability after this meeting. Because that sounds like a very good. Yeah, I can, I can add a issue or I heard somebody else speak up I'll let them talk. Justin just a little bit of context there. We lean on the CNCF for infrastructure around zoom and our meetings are automatically recorded and archived and set aside for us to, you know, through mechanisms of the CNCF to just know that, you know, when we we decide to break from the pack, when and if we decide to break from the pack that, you know, there is a phenomenon there that will have to be advocating and potentially, you know, there's the potential for us to lose that battle. And, you know, the broader collective to say, hey, you know, this is good enough, but I'm with you, you know, since there are explicitly security concerns with with zoom that have come to light in the last few weeks. You know, the ease of use that I've become accustomed to is a lot more suspect. Okay, I don't yet have any scribes at the moment if anyone's able to step in great thank you. Push comes to shove I'll wait till the meeting goes up on YouTube and I'll just extract some minutes post facto from that. So moving forward, is there anyone from any external working groups or special interest groups, the CNCF SIGs here today that has any updates. Okay. I'm just going to go through the attendance here I see one individual with an update mark underwood no update but comment on simulation. Mark, can we pass the mic to you. Hey everybody I'll keep this short so I belong, I published a paper a long time ago with a separate professional association that deals with simulation standards interoperability and in light of this pandemic thing I think there's a lot of lessons learned around how to integrate simulation into security. This is one of the takeaways I think that we're going to end up with. This usually came up in terms of cloud scalability. But I think there's more to this than scalability and you know I could invite somebody from that association to talk about the current state of the art in that and you know how this might be fit into security practices but I just thought I'd mentioned that in light of this, you know I used to own the pandemic simulation calm site, because we had a failed proposal to deal with this in the h1 n1 era, that would be 2009 or so. So I had some familiarity with the then DoD and DHS would both have showed some interest in it in in that timeframe but it really hasn't been fully adopted in security practice so, you know, given that we're kind of leaders in the cloud space it's something we could think about. I could think it fits in the, the bleeding edge category as opposed to must do things for incubating projects of course. Thank you, Mark. Okay, if there are no comments or questions for Mark, I'll just go through alphabetically to our attendance for the updates. Dan, I have one for you. Yeah, so yesterday was TOC meeting day with sick updates. As we look out probably May timeframe, we have a, you know, of course we have Harbor, which is, you know, progressing and then, you know, on our horizon we have three new projects that are, you know, coming into our flow. So, DEX and Key Cloak are identity projects that we, you know, are sort of pending to evaluate and JJ's begun putting together a bit of an overview for, you know, May as kind of an identity month and we'll, you know, dive into a couple of identity projects and, you know, have the self sovereign identity that Sarah's going to connect on through. So, you know, something for the horizon. Justin Cormack. There was another project that was supposed to be on my radar IDXL or something like that. That was my, IDXL or something, you know, jumble of letters that was apparently proposed a couple weeks ago, and I missed the TOC meeting. Is that ringing a bell? I need to go back and pull that through. Yeah, I do remember that there was another identity provider that I wasn't familiar with. Was it proposed or just discussed that it hadn't formally proposed? Okay, got it. I do remember that there was a second one. I've been trying to track that down. I haven't been able to pick up that thread. It was the one that hadn't proposed. It was the one that there was a Twitter thread, which Liz replied on where they were concerned that the barrier to entry, even for sandbox was very high. But maybe we want to handhold them. I'll try and find if it was that one. Justin, you now know more than I do, because I didn't even see that Twitter thread. Just being able to file a PR so we can actually track things that are real and like desired. I don't know. I mean, there's two known knowns and one known unknown out there that trying to connect the dots and see how much we want to prioritize. That's all for me. Thank you. If there are no comments or questions for Dan, I'll move on. I have one from Martin. Yeah, no problem. No problem. I know my family name is hard to pronounce even in Bulgarian. So I had a question I, I commented that I wanted to join as a observer on the harbour assessments, like a couple of days after the sign off from Dan. I wanted to ask if I can formally join. I'm already reading the self assessment, but I just wanted to clarify this in my in my what Sorry, I was trying to start this zoom issue up on the thing and I had a hard time finding the tab to unmute. I don't, I don't have any real problem with it. I don't know what officially being an observer does for you that that unofficially going in and putting comments and doesn't do, but I don't think it really matters. If you did the conflict form, which I guess you did. And then I don't see a real issue so I can go ahead and add that I'll do that in a moment. I asked because I see that there is, there should be a chair sign off co chair sign off or chair sign off. So that's why I asked because I thought this is something that should be done right for every single reviewer or participants. So it's reasonable in general I myself want to do the same but time didn't permit for me to take part even just as a flat on the wall observer but I also wanted to take part in a similar capacity just so I can let's say we're versed in security reviews from our own backgrounds or with our own companies but we like to sit back, watch the experts figure out what the standard approaches and then next time around not make any silly mistakes at least that's how I approach it myself. Yep, I agree. Thank you. Okay. Any other questions for right. I have a question, maybe to Justin capos. This is Vinay here and is there a formal document that we're trying to put together in terms of the next steps that we need to be getting together I know there's a meeting suggested for the 13th is the first meeting where we get together and figure out a plan to go forward with. In general, as you've been you and others have been doing like going in just responding to the questions that the reviewers have is a pretty good way to do things. And in the end there will be two documents, there will be your document that you write and then there will be a document that we write that kind of is a summary of what we think. In general, we will try to push you to make your document include the kinds of things we want to say. But, you know, we also have this document that's a page page and a half to pages something like that that that gives us the ability also, you know if we can't agree or if we want to state it differently to sort of in our own words, summarize things. So I've been going through and obviously you've you've seen over the last few nights and earlier today. I've left a lot of pretty detailed comments in different places. And we can try to chat about those either. So ahead of that meeting if you like, you know, you can reply to my comments to you can suggest things we can talk in the slack channel. However, you know, sort of make sense to move forward but you don't have to create like another separate document the idea is hopefully that document will evolve into something that answers the questions that that we all have. Got it. Thank you. That makes sense. Thank you. And I have one last update here from. Just close loop there with Martin. So Martin and you Matthew, you know, on being an observer. You know, in terms of, you know, assessment conflict sign off. It's really, you know, escalating to the co chairs is really. You know, to help us navigate through any issues where there are complex in the situation where there are no complex, you know, it's really at the discretion of the assessment team. And, you know, it's it's always great, you know, one of the topics that one of the questions that came up yesterday at the to see meeting is, oh my goodness it seems like, you know, there's increasing interest in going through six securities assessment process and it's like, great, like, that's why we build a process and why we're, you know, continue to invest in growing that that team. So, in terms of, you know, observer bandwidth. You know, I'd really, you know, look to to Andres and, you know, Justin as, you know, the overall, you know, lead in that area to advise on, you know, how much capacity an individual session has to be able to to have observers have additional helpers. It's like, you know, managing interns, right, you know, it's it's it can be, you know, free help but it's also a lot of extra effort to, you know, carry folks through the process. So, you know, we're all dealing with, you know, kind of crazy times and quarantine right now and, you know, fitting in all of these things and trying to keep the keep everything moving forward. So as long as you come in with the mindset of, you know, I'm here to help, you know, the Kubernetes mindset of, you know, chop wood, carry water. You know, that is always going to be, you know, well received and, you know, look to Andres and Justin for guidance on how you can help. That sounds very reasonable and pragmatic to me. I see it as a one-off thing in that learn it the first time, pay less attention and then second time around actually start chipping in and don't don't treat it like a free learning program, but more something that we're just getting better at contributing to. That's at least I spin on it. Thank you. From a from a hardware standpoint, I came back since I saw you guys talking about hardware. I have to zoom meetings side by side. By the way, this is interesting. The, you know, from our side, you know, we welcome more observers like more eyeballs into this are going to raise questions that were improving our dogs were improving our process. The one thing I will ask is that, you know, we're almost at the tail end right now. We have our live discussion on Monday. So, you know, we went through two weeks of questions. So I don't want to kind of start all over from the beginning. Obviously, for the right reasons, we'll do everything like good questions that come up or go with it. But, you know, bear in mind that in about three business days, we're having a live discussion and start wrapping up. So we are towards the end of that timeline. That's good. Thank you. Okay, I have potential. Yeah, I was just going to say, yeah, and I do like as part of my update, but just think I'm the last one. The I want to encourage anyone who is participating in this to really get your comments and things like that in as soon as possible. We, I know there's a tendency to want to wait till the last minute but because like for instance I've asked in my comments for quite a few things that will take some time, or at least need some discussion so I can understand a little more. But I think are kind of missing from the document. I think it would be quite unfair of me to drop this at the last minute. So we want to to come in and have our questions and things like that is as early as we reasonably can. And I think the expectation isn't that like we walk into that meeting and then out of the meeting, you know, after that there's sort of no changes need to be made or things. I think that that meeting in part is is meant for us to have a discussion so we as reviewers can kind of compare notes about what we all have seen and think and then, you know, maybe ask for some additional things or drill into questions where we might, you know, I might say oh I thought it worked this way and then someone else might say no I think it works that way and then based on on what we understand then we understood different security properties to be the case out of out of where harbor is today. So, yeah, absolutely and I want to echo that so you know, Andres and Justin and others have added comments that it took me a while to actually go and I mean I'm writing. I wrote like three or four pages of new content for questions that came up so far so you know, and I try every night to replenish them and not just another couple more comments yesterday that I need to replenish tonight and add them so the earlier that these comments come in then gives us. It gives me more time to internalize it and add the content if it's something new that's being asked for. Yeah, and also feel free to push back a little if there's things that you think are sort of just unreasonable or duplicative or whatever. But, you know, that should be like I think of a discussion that you certainly should have with with like Andreas and whoever the person is that's having it and maybe just have it in the slack channel to say hey, I did these things but I looked at this and I just don't see how this would help and I feel like we already say this here and you can read this can we, you know, isn't that enough. I think that's that's fine we're not just trying you're not you're not at the mercy of all of us telling you know, having to follow all of our exact commands we're just trying to get clarification to help make the best document possible for this. Yeah, I understand thank you. I mean, I so far everything has been reasonable. And, you know, obviously to an outsider that doesn't know hard board the questions don't seem out of work like me that I know hard boys and hey this is this is this is expected that's their natural thing but obviously this document is meant to be standalone or stand on its own. So, it's so far everything has been reasonable so I've been adding them as like as we go along. There are, you know, for the most part, I think, Andres asked for night, there were, let's say 10 links that pointed to other documents he asked for somebody in this dog. I think eight out of those 10 I did it for the other two, because it's a living document and things like road maps and other things change so frequently. I opted to keep the external links because it's the right thing to do, like someone that sees this two months from now, I will get completely out that information in some of those areas, but thanks. Thanks. Thank you. Does that conclude your update Justin. It does. Okay, yeah. Alright, we don't have any PRs noted for chair approval or general discussion nor presentations but there is one thing here in the notes that I'm just going to set up a screen share here for and see if we can identify who the contributor is just so we can raise it and if not defer to the future discussion. My browser coming through. Yes, and I think this is actually someone who is looking to be able to take this to the Kubernetes security group first. Okay, I don't believe this needs to be here, but I will go back in and I believe I know who's doing like who's putting this stuff in. Okay, yeah. I'm not familiar myself where it should go or, but not but if there's some better place to put it really Kubernetes specific and not as focused for the CNC F like overall project group. Okay, thank you. Sure. Okay with that being said, my attendees Karen. Before I go to the open floor since there's no presentations or additional topics there. I'll just quickly note that if there's anyone that's new here today I'm still learning all the names myself. Feel free to just ping via the chat function there if you'd like to be introduced or introduce yourself. Okay, so with that said, we can just jump straight to the open floor so anyone wants to bring in my topics. Now's your chance. I had a question maybe, maybe a clarification. So in the broader charter of sync security, I mean, and forgive me I should go and read all the documentation is available as well and I'll do that. Is it to be the oversight community committee for example to provide guidance on on new projects to the security assistance of course that we're doing and those kinds of things. And what are the other activities that we could take on and propose just broadly speaking I mean if if then you or someone could talk about that it just just a good sense of what are the broader projects or activities that we could take up an address. That would be helpful to identify an index as we think through what we can do. Does that make sense. So again, you're you're looking for maybe not not necessarily plugged in or yeah identifying where we can plug in where we can contribute as well as what are the broader broader charter for security where do we get plugged in how do we contribute how do we collaborate with the broader ecosystem, or how do we float new security projects does it come out through here, like incubating project, you know those kinds of things. Got it. So, you know, let me let me sort of start with some of the knows. So, in terms of, you know, building actual projects. We have many of, you know, active participants from projects but you know this SIG is, you know, a consortium of subject matter experts that supports the actions and activities of the to see. So, you know, we are not in the business of maintaining software or, you know, kicking off an effort, you may, you know, through these meetings or through, you know, the activities of SIG security, you may meet somebody that, you know, then, you know, peel off from there. But, you know, there's no expectation that I would say that this is going to be a source for, oh, okay, we need to go build this thing, you know, start writing code. It's much more a form of subject matter experts. So, you know, right now are, you know, most active and repeatable workflow. Actually, they're, they're two of them. There's the security assessments and there's, you know, run a business. So Matthew's been, you know, very graciously acting as facilitator. So, you know, he's gone through, you know, the past month as a facilitator, we will, in the near future, you know, be nice to have a rotation of the forces. So if you'd like to, you know, take up some of the, you know, that work, there's, there's that as, you know, kind of an immediate activity. Then, in terms of engaging, you know, various other, you know, working groups, there's need, you know, we have, you know, kind of an open discussion with, you know, NIST as an organization where, you know, there's some crossover interests, but there's no actively liaison. So, you know, that's an opportunity. But, you know, as with most other open source activities, no one's really going to tell you what to do. So if there's an opportunity that you see to support these efforts or to connect the efforts that are, you know, going on in other forums and, you know, you want to identify that as, you know, something that you're doing on behalf of the group, then, you know, I invite you to bring it to the forum and, you know, I'm fairly certain that, you know, it's under the, you know, overall governance and guidance of what we set forth as what we do here at SIG Security, then, you know, I would expect us to support that. That's perfect. Great. Thanks a lot, Dan. I really appreciate that. Okay. Are there any topics anyone else would like to bring up? May I quickly introduce myself since I have, I've been lurking on your call today. Yes, so this is Paul Howard. I work for ARM, I'm a Solutions Architect, and I'm working on a project that's collaborative across ARM and Docker and some other organizations that we are looking to, we're looking to make presentation to the TOC at some point for sandbox adoption. The thing with the project is parsec, and I'm basically looking, it's a security focus project, so I think it would be of interest to the security SIG. And I guess what I'm looking for is, because we're expecting to put a presentation together for the SIG at some point, I'm looking for examples of good practice. I'm just going to switch on the call today on the off chance that there might be a presentation. Of course, I haven't checked the agenda, so I guess that there are no presentations today. Gavi, you record your calls and put them on YouTube. Is that correct? That's correct. Can you advise me on that? Google and just CNCF YouTube. It's one top level YouTube page for all CNCF SIG presentations, and they just get uploaded automatically about a day or two later after the meeting concludes. Okay. We had a presentation just last week. While you continue, I'll go find a link and paste it in the group chat. To be honest, I was kind of done. I don't want to, I don't want to talk at length about the project at the moment. We haven't put our TOC proposal together yet, but we are, we're marshalling our forces to do that and getting all of the information and all of the collateral together to make a presentation and to follow the documented process for getting it for the TOC's attention. We'll be following the documented process in due course. For now, I'm really just trying to get a feel for, you know, examples of good practice or any bits of advice in terms of making good representation for the project. Yeah, that's it really. It's good to meet you all as well. Thank you. There's two completed assessments, one for in TOTA, in TOTO and one for open policy agent. If you take a look at those assessments, they also give you an idea of what like the completed process looks like. So that that may be a reasonable place and you'll also find template documents and things like that. When you're ready to start that part of the process. Okay. Okay. Yeah, that's that's great. That's that's that gives me some things to go off and look at. That's brilliant. Thank you. No, I didn't want to take up any more of your time in this meeting, but I didn't want to, I didn't want to lurk on your call and not introduce myself. So, thank you. Just following up on the heels of that one I'm just going to quickly do a screen share here to confirm with Justin if I have the correct link here just so I can provide it for visibility slash tracking. So, is this the correct one, Justin and the links here are these the links to the assessment itself or should I be looking elsewhere to find the formal document. Yeah, you'll find the, there's a directory somewhere that has this I think they're linked off here to. But the closed issues should have the assessments for them but there's also somewhere under their assessments projects. There we go. There you go. And then there's spiffy spire documents there too. So I'd recommend taking a look at at those. I placed those in the chat just want to make sure I'm not sending people on the world use chase. Okay. Anyone else that like to take the mic. Okay, so I give about 10 seconds of cricket says we're all done. All right, that being said that wraps up today's meeting hope everyone stays in good health and good spirits and hope to see you all next week. Thank you.