►
From YouTube: Istio Security Working Group Meeting 2019-03-20
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
A
In
1.1,
it's
a
pretty
big
change
in
terms
everything
in
a
steel
which
gives
a
lot
of
features
so
in
terms
of
security.
I
can
cover
several
points
here
and
then
leave
me
will
cover
the
rest
of
them.
So
for
the
first
one
we
in
1.1,
we
have
the
readiness
and
the
lambdas
probes
support
for
the
community
HTTP
protocol,
even
when
the
mutant
TOS
is
enabled.
If
you
go
to
this
release,
notes.
A
Let
me
show
you,
so
we
have
four
ways
to
actually
do
this.
A
house
miss
probe
with
mr.
Klassen
a
boat
I
think
one
of
the
ways
that
we
recently
support
is
they're
using
the
pilot
agent
to
proxy
their
non
metal
key
OSPF
to
proxy
the
non
neutral
as
traffic
to
their
to
your
workload,
and
there
are
also
some
other
modes
as
well.
I
won't
discuss
some
details
here
and
the
third
one
is
identity,
provisioning
through
SDS.
A
This
one
introduces
now
it's
not
octane
feature
what
which
means
by
default.
When
you
are
twenty
on
the
middle
class,
it's
still
using
the
legacy
secret
file,
mount
approach
when
you
mount
approach,
but
there's
a
way
for
you
to
use
their
SDS
and
which,
what
that
will
do
is
it
will
introduce
it
will
bring
up
the
demon
sets
which
other
serial
agents
on
each
note
and
they'll
see.
Their
agents
will
basically
act
as
the
SPS
server
for
all
the
workloads.
A
A
This
one
is
a
big
improvement
to
our
previous
lucien,
which
means
our
previous
solution.
Your
external
certificates
are
file
mounted
to
those
gateway
controllers,
ingress
gateway
controllers.
That
has
a
problem.
Whenever
you
update
your
gateway
to
include
more
certificates,
you
will
have
to
deploy
the
controller
with
a
new
configuration,
and
then
your
controller
has
to
be
restarted.
A
That's
really
annoying
for
our
users,
so
what
we
are
an
improvement
and
that
is
to
introduce
SDS
server
onto
the
controller
part,
so
that
one
that's
server
vo,
the
SDS
server
will
be
basically
a
co
agent.
It's
very
similar
to
the
serial
agent.
It's
sitting
adds
a
sidecar
on
the
same
pod
as
their
ingress
gateway
controller
with
that,
as
the
server
does
is
it
exposes
the
SDS
service
to
the
controller,
and
the
controller
can
call
that
service
to
retrieve
their
external
certificates
and
the
kids
and
that
secret.
That
said,
car
that
SDS
server.
A
A
If
you
want
to
see
more
about
this,
you
can
click
into
this
link
and
the
last
one
is
the
customized
trust
oment.
This
one
will
be
enabled
it's
all
TV
feature
as
well.
We
don't
have
a
task
here
yet
and
we
are
writing
it
to
tell
the
users
how
to
customize
their
trust
domains
by
default.
It's
a
cluster
dot
local,
but
we
can
tune
their
home
parameter
hum
flags
to
configure
a
different
one.
So
those
are
all
about
what
heigen
power
and
lim.
D
Yeah
so
for
oscillation
part,
so
the
first
I
want
to
mention.
We
have
a
change
on
the
upper
configuration,
so
we
so
previously
we
have
the
other
configure
which
enables
the
eastern
oscillation
and
better
will
realize
it
has
the
wrong
scope,
it's
the
namespace
scope,
but
it
should
be
classes
code.
So
we
replace
the
original
original
upper
configure
with
the
crust
other
computer
resource
and
we
also
provide
our
script
so
that
you
can
language
from
the
easysing
other
convicts
who
passed
other
configures
and
in
a
memoir
will
still
support
the
old
configure.
D
So
if
you
have
other
complete
country
is
in
use,
it
won't
break.
So
our
code
is
still
supporting
the
old
config
for
the
pictures.
Yeah
I
want
to
highlight
two
features
for
our
solution,
so
the
first
one
is
previously
is
the
oscillation
support
only
HTTP
RPC
service
and
he
is
release
one
point:
one.
We
added
a
support
for
TCP
services,
so
so
now
you
can
draw
authorization
for
TCP
services,
I
think
there's
a
big
class
ii
wines
oscillation
for
and
user
groups.
D
So,
with
this
support
you
can
you
can
define
oscillation
policy
that
assign
some
rows
to
to
a
group.
For
example,
you
can
assign
a
certain
road
who
admin
group.
Then,
in
your
choice
token,
you
can
have
the
group
screen,
which
says
which
identify
the
common
request
for
the
user
belongs
to
the
admin
group
yeah
you
can.
You
can
do
the
same
for
other
claims.
So,
for
example,
you
can
assign
your
road
who
to
a
person
that
belongs
to
Asia
Agra,
for
example,
and
then
your
George
claim
you
can.
D
D
D
Yeah,
okay,
so
this
parenthesis
is
mostly
follow
up
on
the
previous
presentation.
Scott
head
on
that
printed
out.
Let's
do
our
review.
We
had
a
lot
of
questions
regarding
the
relationship
between
acid
Hawken.
I
was
talkin
in
the
API
key,
and
so
the
first
part
of
my
presentation
is
basically
it's
playing
the
relationship
building
between
these
credentials
and
the
second
part
I'm
going
to
talk
about
the
authentication
policy
change
to
incorporate
these
your
credential
types,
and
so
as
a
token.
D
So
we
have
already
talked
about
acid
token.
So
I
see
Foca
is
a
special
token.
That's
used
inside
of
a
nice
new
mesh.
We
want
to
introduce
a
seat,
okay
as
a
special
credential
tank,
because
for
the
following
reasons,
so
first
it
makes
a
clear
distinction
distinguish
a
distinction
between
internal
token
and
the
external
token.
D
We
want
to
call
that
as
it
opens,
the
internal
token
is
different
from
any
other
Excel
or
potential
like
shot
other
okay
token
and
second,
so
we
want
to
have
acetic
and
define
our
definition
in
in
one
place
globally
and
all
the
workload
inside
mesh
can
directly
refer
to
it.
They
don't
have
to
define.
D
D
D
Was
talkin
an
API
key,
this
tool
credentials
are
actually
very
similar,
so
they
are
post
or
pic
tokens,
so
they
have
to
be
sent
to
a
token
server
in
order
to
validate
it,
and
in
this
sense
you
can
think
of
API
key
as
a
special
type
of
effect.
On
an
auth
token,
although
API
key
has
its
own
property
and
normally
used
to
identify
the
IP
is
that
the
color
is
granted
access
to.
But
this
is
this
distinguishing
is,
and
this
difference
is
not
this
minor.
D
So
so
we
we
want
to
just
choose
API
key
as
another
type
of
object,
token,
so
normally
also.
For
a
pic
token,
there
is
a
standard
how
the
token
introspect.
So
if
we
follow
the
standard
there
is,
there
is
a
standard
way
calling
them
also
can
introspect
endpoint.
So
you
have
to
use
the
interest
fact.
Cars
and
the
requests
have
to
carry
the
token
and
optional
can
also
carry
the
token
hinge
token
titled.
D
D
Okay,
and
so
in
the
case
that
the
epic
token
server
actually
returns
are
just
token,
it
is
very
similar
to
the
talking
exchange
that
assi
talking
to
us.
So
in
that
case,
so
sometimes
you
can
actually
combine
your
opaque
token
or
pick.
I
was
talking
server
with
the
IC
talking
server.
So
basically,
you
can
have
a
a
single
token
service
which
serve
as
both
isotope
and
silver
and
the
auth
token
silver,
so
Allen.
This
picture
just
shows
an
example.
D
B
Autism
is
a
relatively
well
defined
protocol
right
and
we're
saying
we're
gonna
support,
validating
oo,
auth
tokens.
So
presumably,
if
we're
validating
auth
tokens,
we're
talking
this
OAuth
protocol
right,
but
you're
saying
that
there's
this
token
service.
That
then
knows
that
instead,
it's
going
to
return
an
RC
token
is
that
yeah.
D
B
B
D
D
So,
for
example,
you
have
a
AAP
bhi,
pyaar
kiya
verification
server,
which
is
a
legacy
server
each
one
to
return
the
Aussie
token.
It
simply
returns
the
returns,
the
claim
in
JSON
format
and
then
but
but
you
can
have
another
token
service
which
costs
the
API
key
verification
server.
So
it's
just
shows
it
can
be
separate
server
instead
of
a
single
server.
D
Yeah
so
now
I'm
going
to
talk
about
stuff
authentication
policy
change
in
order
to
support
all
the
all
these
credentials,
we
want
to
introduce
a
new
Ciotti
type
called
authentication
methods.
Yes,
so
just
some
precaution,
this
authentication
policy
change.
We
already
had
an
internal
discussion,
but
still
there
are
some
like
own
names
or
some
minor
details
not
set
of
them,
so
I
hope
it.
It
will
just
give
you
a
rough
idea
how
it
will,
but
it's
not
finalized
at
every
detail.
D
Yeah,
so
the
authentication
methods
include
just
type
and
another
server
type,
so
you
can
do
it
George
authentication,
which
is
with
Stan
locally,
or
you
can
do
a
server
authentication,
which
is
the
calling
edge
to
another
remote
server
as
a
token,
it's
a
special
type
of
chart
and
we
also
have
a
special
type
of
form
as
a
token
server
specification.
Yes,
sorry,
it's
just
a
special
name.
Is
he
talking
some
special
name
reserved
the
name,
but
the
specification
is
the
same
yeah.
So
the
authentication
matters
configuration
is
a
mesh
level,
a
singleton.
D
So
for
the
short
spec
is
the
already
supports
Jones.
So
so
the
choice
spec
is
actually
the
same
as
what
we
have
today.
You
can
define
the
issue,
the
expected
audience,
the
public,
URL
and
headers.
Where
do
you
extract
just
tokens
and
yeah?
As
I
mentioned,
we
want
to
make
a
psychic
and,
as
a
result,
a
type
because
it's
a
special
in
image
tokens
and
further
for
the
server
type
it
contains
the
following
fields.
D
D
D
So
so
this
part
pieces
specify
the
URL
secret
name,
see
with
our
secret
type,
specifies
how
you
access
this
token
server,
and
there
are
other
parts
we
can
specify.
The
input
header
basically
specifies
how
you
expect
instructor
credential
extractor
the
token
from
so
yes,
so
far,
you
long
for
the
API
key
you
can
specify
which
header
this
API
key
locates
and
it
can
also
be
extracted
from
query
parameter.
So
we
also
have
the
input
parameter
and
you
can
also
pass
pass
by
the
local
hint.
D
So
the
token
hint
is
used
when
we
send
the
request
to
the
token
server
to
the
interest
back
to
the
server
and
the
output.
You
can
also
specify
the
output
header,
basically
after
your
cancer
response,
where
which
header
you
want
to
push
the
token
he
and
I
see
token,
is
a
reserved,
a
token
silver
name.
It
can
be
used
to
specify
how
to
access
as
it
okay.
D
D
B
D
D
F
G
D
D
D
D
D
D
B
D
D
B
D
B
D
D
D
Yeah,
so
under
so
I'm
sidecar
sorry,
so
this
is
also
future
policy
for
the
for
ingress.
If
I
mean
ingress
so
in
equals,
we
basically
say
delegate
or
sentencing
to
a
see
token
I
think
that's
also
your
Kasturi
spike
right.
So
so,
basically
we
can
specify
us,
so
the
policy
basically
will
indicate
there's
the
authentication
is
not
not
done
locally
or
in
class.
It's
dedicated
to
another
server
server
definition.
Maybe.
B
D
So
they
are
two
different
right,
so
this
is
the
next
one
is
the
sidecar
I
was
in
caching
policy
so
that
on
the
second
authentication
policy,
we
are
saying
the
sidecar
the
service,
except
as
a
token.
So
you
are
saying
so
we
are
using
chart,
as
you
talk
exactly
the
asset
okay
charge,
but
our
inference
is
different.
Our
inquire
says
several
seconds
so
basically
is
calling
to
the
isotope
and
silver.
It's
a
different
authentication
method.
D
B
D
C
Just
go
back
a
second
to
that
output
header,
while
that
may
not
matter
for
an
RC
token
server,
if
you're
not
doing
an
RC
token
server
and
you're
just
evaluating
the
OAuth
and
doing
the
introspection.
You
may
want
to
go
ahead
and
say
what
the
output
header
would
be
so
that
it
can
be
passed
up,
streams
to
the
side,
cars
and.
D
D
Yes,
so
so
the
authentication
method
defines
so
why's
the
choice,
authentication,
its
Kukoc
authentication,
basically
except
coalition's
charge
and
for
the
server
authentication
it
defines
the
API
key
authentication
and
for
asset
Hawker
is
its
local.
Basically,
our
inference.
We
are
doing
the
local
token
exchange.
B
B
D
No
poking
stranger
is
only
at
ingress,
so
our
ingress,
you
are
saying,
if
you
specify
the
yeah,
maybe
if
you
are
like
that'll
get
better.
So
basically
it
says
this
as
a
token
server.
D
C
B
Your
we're
saying,
okay,
we're
have
this
configuration
that's
mesh
wide
and
the
mesh
Y
configuration
is
saying
nothing
about
where
that
that
server
is
reachable
from
right,
like
if
you
scroll
up
your
your
the
mesh
wide
configuration
yeah
RC
token
has
you
know,
has
it
has
an
empty
map
right,
and
so
so
we're
not
specifying
any
information
about
the
RC
token
server
other
than
then
it
exists,
so
is,
is
that
is
that
realistic?
Is
that?
Is
that,
like
basically
like?
Is
it
right
to
have
this
this
global
piece
of
configuration
that
says?
B
B
I
B
D
B
D
F
H
A
D
Actually,
almost
oh
yeah,
so
this
is
the
this
is
the
last
examples
maybe
I
just
came
up
with
the
example
rest
before
the
meeting.
Maybe
that's
not
not
a
good
idea.
Okay,
we'll
just
have
to
our
local
asset:
okay,
yeah,
local,
talking
speech
example,
but
okay
yeah,
let's
assume
just
for
up
the
first
example
that
the
second
one
I
still
need
to
figure
out.
Do.
A
A
This
one
will
be
mostly
focusing
on
this,
because
I
get
a
lot
of
comments
under
CSRA
ti,
and
this
is
also
what
the
community
care
about
and
also
the
next
one
will
be.
There
see
a
rotation
I
think
this
is
also
a
good
topic
to
talk
about
I
added
a
little
bit
new
content
here
to
express
to
explain
what
those
every
field
means.
A
This
is
our
current
API
between
the
CEO
and
the
CEO
agent
and
the
users
we
want
to
extend
if
you
want
to
use
their
accustomed
ca
and
hook
it
up
with
the
under
cellular
agent.
One
of
the
choices
to
follow
this
API
standard,
so
I
will
briefly
talk
about
every
field
and
why
we
have
them.
So
the
eCos
difficult
request
is
the
request,
something
from
the
sense
from
the
Sileo
agent
to
the
cigarette
to
the
da
right.
A
The
response
is
the
response
from
the
CA
to
the
CL
agent
right,
it's
fairly
simple
and
the
service
is
there
CA
service
and
the
CSR
in
the
request
means
it's
a
regular
CSR.
It
has
their
public
key
in
it,
so
the
CA
can
use
conferred
public
key,
so
the
user
can
refer
to
that
public
key
to
issue
the
certificate.
It
also
has
a
signature
in
it
so
that
the
CA
is
able
to
verify
the
project.
Possession
of
this
a
private
key
corresponding
to
the
public
key.
A
Those
are
the
two
most
important
fields
should
be
used
must
be
used
by
the
CA
and
other
fields.
The
CI
can
choose
to
ignore
them
or
override
them.
We
don't
have
any.
We
don't
have
lists
of
what
the
CA
needs
to
do
on
those
other
fields.
In
this
talk
the
subject
ID
here,
someone
may
find
it
a
little
bit
confusing
the
subject.
A
Id
is
the
ID
that
the
requester
wants
the
CA
to
issue
in
their
certificate
if,
if
it
is
different
from
the
identity
presented
in
the
credential
right,
but
if
so
in
other
word,
by
default,
your
identity
in
their
issued
certificate
should
come
from
the
credential
that
is
sent
from
the
request
request.
Her
sorry.
A
A
My
channel
of
there
entities
in
the
side
panel
of
the
Jia
Jie
see
you
okay,
yeah
yeah,
then
for
bringing
that
point
out
so
by
default.
That
will
come
from
the
credential
derived
from
the
credential.
Of
course,
their
identity
in
the
certificate
should
be
in
specie
format,
so
we
do
a
conversion
format.
Conversion
on
the
CSS,
but
if
that
identity
you
want
is
different
from
the
identity
provided
by
their
credential.
You
can
specify
that
in
the
subject
ID
this.
A
A
good
point
right:
it
could
be
in
the
CSI
itself,
but
I
found
out
there's
a
problem
because
CSR
you
have
to
have
a
identity
in
it.
Otherwise
it
is
not
valid
and
it
doesn't
allow
it
doesn't.
Give
you
a
way
to
optionally,
say:
I,
don't
want
to
use
this
identity
in
a
CSR,
so
what
we
propose
here
is
we
want,
have
a
separate
field
to
explicitly
call
the
identity
that
you
want.
If
you
want
justing,
if
you
are
there,
you
can
comment
on
this
as
well.
Yeah.
G
The
subject
ID
field
was
a
way
to
allow
the
requester
to
express
a
desire
to
get
a
certificate
for
a
different
subject,
ID
different
from
what
it's
authenticating
with
I,
think
in
normal
use
of
most
use
cases.
This
would
this
subject.
Id
field
would
not
be
used
and
to
Devin's
point
I.
Think
the
if
I
recall
correctly
with
the
CSR,
we
knew
that
we
needed
the
public
key
and
a
proof
of
possession
of
the
of
the
key
and
the
CSR
was
a
standard
way
of
expressing
that.
G
H
K
I
J
I
think,
though,
we
need
to
be
extra
clear
about
the
contract
here,
like
if
the
CSR,
the
purpose
of
the
CSR,
is
purely
to
transmit
the
the
public
key
of
crypto
possession
of
it.
Then
we
should
communicate
that
it
should
not
be
expected
that
any
other
data
provided
in
the
CSR
is
going
to
make
it
into
the
final
document.
J
K
L
K
Would
suggest
looking
at
something
like
a
JSON
web
signature,
because
we're
using
jobs
everywhere
already
know
somewhere?
Dignity
would
seem
like
a
something
to
look
at
or
as
various
other
signature
schemes,
because
all
you're
doing
is
using
that
to
prove
possession
so
that
it
all
that
easy,
the
proof
and
that
you
defined
it
in
the
TFR
but
you're,
ignoring
all
the
values
inside
the
theater
field.
By
quote.
A
G
H
G
K
All
right,
I
think
we
did
you
just
need
to
choose.
Are
you
gonna,
do
use
a
standard
CSR
or
are
you
gonna
say
no
we're
not
using
standard
CSR
or
because
the
data
it's
not
useful,
then
we
can.
We
can
choose
to
use
another
format,
which
is
maybe
more
native
to
the
tools
that
that
are
likely
to
be
interacting
with
the
system.
So
so
it's
just
examples.
Otherwise,
you
we're
gonna
have
to
be
very,
very
clear
about
how
each
field
is
used
and
probably
go
through
a
greater
level
of
documentation.
J
J
L
Think
of
clear,
instead
of
sending
a
subject
ID,
maybe
he
concerns
some
metadata.
Some
waygu
metadata
is
up
to
the
interpreting
officer
CA,
because
you
know
CA.
Basically,
what
is
put
into
the
certificate
is
determined
by
CA,
so
you
can
ignore
the
you
know,
subject
that
you
know
everything
and
based
on
its
own
policy,
for
example,
based
loans,
credential
accompany
the
PI
on
this
CSR
to
determine
what,
as
credential
I,
mean
identity
put
in
the
certificate.
L
B
A
G
Yeah,
there's
there's
a
danger
of
adding
you
know
the
more
flexibility
you
have,
the
the
more
complexity
you
have
and
the
more
surface
area
for
attacks
you
have
yeah
real
quick.
So
one
of
the
comments
on
the
doc
was
also
asking
about
the
validity
duration
field
and
I
just
wanted
to
address
that
by
acknowledging
that
the
intention
here
was
that
it
was
to
be
a
client
hint
about
the
requested
duration,
but
ultimately
it's
up
to
the
CA.
So
you
determine
the
range
or
the
defaults
of
the
certificate
expiry
period.
You.
J
Know
this
is
we've
been
working
on
the
couple
folks
on
this
call
been
working
on
an
integration
with
spire
in
this
regard,
and
we
ran
into
some
problems
with
this
ability
to
Croatian.
We,
the
spire,
will
not
allow
client
to
specify
TTL.
We
we
put
whatever
we
think
is
appropriate
or
whatever's
configure
it,
and
currently
the
agent
relies
upon
the
availability
durations
that
is
specified
in
order
to
know
when
to
renew
things,
and
so
there's
no
examination
of
the
actual
validity
period
that
was
returned
in.
L
Yes,
sir,
going
yeah,
it
was
of
a
validity
period
for
hash
cop
vault.
The
practice
as
I
see,
has
a
policy
of
the
TTL
and
as
a
requester
consent
of
hint
after
the
TTL
polyphagia
is
a
requested.
A
TTL
is
larger
than
the
yes
policies
and
it
will
be
reduced
to
the
the
Maxim's.
Allow
the
four
CA
I
think,
that's
probably
can
be
I
mean
follow
the
here,
I
mean
for
the
TTL
part
for
the
validity.
Basically,
the
client
can
you
know
hint,
but
not
the
CA
will
decide.
What's
the
TTL
will
be
so.