►
From YouTube: Istio Security Working Group Meeting 2019-07-24
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
C
C
C
D
E
F
F
F
F
Cas
is
to
continue
to
use
each
other
to
generate
the
speedy
certificates
and
use
some
DNA
certificates
either
existing
certificates,
their
heads
am
in
case
of
migration
or
set
manager
at
me,
or
whatever
else
say
they
need,
is
again
a
second
because
because,
in
the
end
so
requirement
these
are
the
several
reasons
and
EMS
based
certificates
to
external
clients.
That
is
not
aware
of
your
secure.
Maybe
we
have
a
variant
on
this
I
mean.
Is
there
any
possibility
to
do
it
differently?
A
certificate
I
mean.
K
F
My
point
was
that
what
I
understand
is
that
you
have
a
legacy
client
that
is
no
Carnegie
steel,
so
it
can
be
something
running
on
a
mainframes
that
doesn't
support.
Please
NASA,
very
nooks
and
it's
attending
to
an
HTTP
connection
were,
is
your
workload
and
as
far
as
I
know,
the
only
most
existing
HTTP
clients
expect
the
DMS
base
that
difficult
on
the
other?
Yes,
you
could
put
our
different
seems
so.
L
G
F
G
G
F
So
for
a
normal
issue:
user
that
has,
how
are
they
going
to
provide
certificates
for
the
external
clients
Ramin,
so
they'll
have
an
external
clients
that
is
not
doesn't
know,
God's
East
your
identity
and
it
expects
a
DNS
basis.
You
are
using
a
demon
certificate
right
now.
Yes,
right!
That
means
that
your
client
is
expecting
a
DNS
base
certificate.
How
would
I
use
your
user
provisions
a
certificate
to
Easter?
How
would
you
have
equal,
a
sidecar
to
load
the
DNS
base
certificate.
J
So
then,
in
the
current
approach,
there
is
no
other
like
unless
there
is
a
client
or
understand
spiffy,
and
would
be
able
to
understand
that
this.
This
server
would
have
this
format
of
a
specific,
which
would
be
difficult
to
provide
two
extra
mint
lands,
because
right
now
it
happens
through
secure
naming
within
the
Midianites.
G
M
M
F
Client,
first
of
all
not
understand
the
speedy
certificate,
most
fines
to
not
and
say,
hunt.
It
would
not
know
what
we
expect,
because
you
present
them
service
account
and
they
station
when
the
service
is
factory.
A
DNS
name
doesn't
know,
is
cooking
for
it's
not
reserved
by
service
account
before
service
a
concept
not
so
so
also
kind
wanted
to
the
secure
naming
in
our
case,
I
want
to
have
a
secure
connect
by
sending
one
we
cannot
do
secure
name.
Is
your
secure
naming
the
DMS
acute
name,
which
means
you
ask
for.
I
Yeah
I
mean
say
something
like
just
trying
to
understand
from
your
guys
perspective.
That's
the
original
problem
you
try
to
you're
trying
to
solve
and
when
you
got
blocked
by
our
API
invitation.
Is
that
because
you
have
clients,
does
not
have
the
my
sidecar
and
your
server
has
the
permissive
mode
is
not
matching
on
the
transport
product
ers
and
the
you.
You
are
not
like
coming
from
a
certificate
for
Matic
kind
of
motivates
from
there.
I
So
that's
why
I
think
for
if
you
had
to
be
more
straightforward,
the
configuration
is
directly
Express,
your
intent
that
can
avoid
the
confusion
better.
That's
why
I
think
at
some
annotation
on
their
workload
of
deployment
of
hot
Sun
and
so
forth.
To
indicates
your
intention.
So,
let's
see
my
site
a
car
on
the
server
side
terminates.
I
The
chaos
connection
will
be
clearer
to
to
express
your
original
intent
rather
than
conflating
another
fact
that
resolving
here's
I
agree
that
is
often
used
together
with
the
DNS
certificate
in
your
client,
but
they
are,
they
are
very
over
left,
but
they
are
not
eat.
I
am
see,
as
that's
my
perspective.
I
N
I
I
think
so
they
there's
two
problems
using
different
city
via
is
one
problem
and
our
API
is
unable
to
terminate
the
server-side
yes
and
they.
My
is
not
a
problem.
I
think
the
original
proposal
II
tried
to
solve
the
case
termination
problem
not
trying
to
solve
the
certificate
funny
if
we
can
solve
since
one
thing
at
a
time
that.
K
F
K
G
F
Information
about
generating
or
not
generating
C's
doesn't
necessarily
mean
right
here
that
user
is
way,
but
it's
actually
driven
by
the
actual
site
card
by
having
the
certificate
that
has
this
capability.
So
if
you
do
not
have
a
certificate
in
addition
of
a
certificate
or
you
have
a
standard
certificate,
obviously,
which
is,
there
is
no
way
the
waiting's
extra
filter.
So
you
need
to
increase
user
complexity
and
user
requirements.
When
we
can
do
this
automatic.
We
know
that
the
workload
has
the
second
in
a
certificate
or
never
certificate
to
succeed.
So.
N
I
J
So
we
have
one
concern
with
the
adding
it
has
a
secret
name,
because
currently
the
way
we
are
actually
mounting
the
certificate
is
not
so
secret.
We
kind
of
act
as
if
we
are
the
Citadel
region,
so
we
have
our
own
agent,
which
just
puts
the
certificates
in
the
right
location.
Within
till
it's,
your
proxy
container
and
I.
F
Think
we
can
do
it,
we
can.
We
can
as
long
as
we
agree
that
it's
a
sidecar,
dr.
Liam,
who
is
a
separate
boy
by
some
means,
we'll
get.
There
means
that
it
has
in
this
use
case
where
it
needs
to
generate
to
two
certificates,
even
if
I'm
fine,
with
specifying
another
options
that
it's
actually
conquered
with
with
HQ
for
certificate
or
it's
a
separate
certificate.
The
reason
I
specified
is
this
way
what
many
users
so
your
generation
for?
What
is
to
your
users?
F
My
intent
here
understand
the
intent
is
to
somehow
specify
is
a
sidecar.
Is
that
you
have
a
special
certificate.
I
needs
to
be
presenting,
which
is
not
the
typical
one
and
give
other
users
of
isseo
a
way
to
use
it
without
replacing
Secada,
because
what
we
ship
is
it
on
them
see
this
doesn't
body
the
GMs.
So
we
in
something
that's.
G
F
F
B
L
B
That
you're,
the
no
date
senator
sorry
there
pal
agent,
can
take
her
parameter
to
specify
their
path
of
their
certificate.
That
that
means
that,
for.
L
D
F
Then
they
don't
have
to
use
secrets
at
all.
That's
perfectly
reasonable.
The
main
point
of
the
proposal
is
to
as
for
age
and
pilot
a
generic
way
to
detect.
He
was
there
in
a
situation
where
they
can
talk
with,
like
a
sequence
or
not
how
it's
perfectly
flexible.
But
again
he
needs
to
be
see
age,
and
it
cannot
be
something
self.
It's
not
aware
of
what
is
the
environment
of
agent.
G
F
Sounds
easy,
but
so,
whenever
the
pilot
agent
or
whatever
in
Waco
next
to
pilot
its
same
Ingham
at
a
key
body
pair
map,
which
is
generically
from
the
environment
of
the
pilot,
so
any
CA,
all
the
labels
for
our
patients
and
whole
environment
money
for
starting
with
a
particular
prefix
there
will
send
to
pilot.
So
if
an
agent
send
an
extra
parameter,
sayings
changed
or
whatever
permits,
we
define
a
note,
we'll
be
able
to
look
up
in,
say
metadata.
She
finds
this
parameter
and
centenary
whatever
is
necessary.
I
F
I
M
F
F
K
F
K
Exactly
but
but
like
the
the
ask,
is
sort
of
to
be
able
to
adjust
this
ALP
end
stuff,
yes,
not
to
be
able
to
provide
two
certificates
because
they're
only
providing
one
so
like
is
it
the
right?
Is
it
the
right
move
to
say
what
we're
gonna
do
is
allow
you
to
provide
two
certificates,
and
it
so
happens
that
when
you
provide
the
second
certificate,
it's
going
to
be
the
ALP
n
that
that
these
users
want
Oh
like.
Is
that
really
the
the
common
use
case
that
that
we,
we
think
is
going
to
be
I.
F
Will
be
existing
work,
so
you
are
a
user
mm,
you
see,
Co,
you
use
TLS,
but
you
don't
use
cure
anyone
product
is
true.
In
this
case
you
already
have
my
infrastructures
and
n
certificates
and
you
want
that
infrastructure
to
keep
working
without
dropping
killer.
So
what
when
one
is
fewer?
You
suddenly
lose
ability
to
do.
This
stops
work
because
when
one
is
your
permissive
mode,
also
noticed
your
client
forever
and
I
think
this
is
a
very
common
use
is
on
people
operating
from
a
TLS
environment.
K
G
K
F
G
F
Think
I
think
again.
My
concern
is
that
what
they
are
doing
with
the
CIA
I
mean
using
non
Citadel,
generates
to
some
extent
decades
is
extremely
uncommon.
The
common
case
is
you
have
an
existing
infrastructure
with
existing
certificates.
You
want
to
integrate
with
this
job.
I,
don't
know
what
CAS
they
are
using.
That
generate
this
kind
of
case,
but
I
mean
do
we
do.
K
F
I
I
G
I
F
H
F
I
Not
quite
understand
that
the
scenes
at
the
you
name,
why
not
other
people
cannot
do
they
turn
out
the
theater
and
they
put
a
certificate
in
the
right
path
and
he's
done
it's
not
my
first
time
killing
keep
our
three
not
actually
the
other
people
can
do
that
as
well
and
then
already
doing
so
terminates
the
my
side
thank
yous
connection
at
the
service,
my
they
just
put
that
in
10
to
20
min
annotation
and
that's
it.
My
the
parable
taught
will
be
very
simple.
So
if.
F
We
do
not
want
if
you
want
to
require
people
to
stop
using
Citadel
in
order
to
away
from
TLS
ratio,
then
we
can
solve
the
problem
in
different
ways.
Sevens
fundamental
issue
icing
is
certificate
configuration?
How
do
you
provisions
a
certificate
if
we
are
saying
that,
in
order
to
move
from
a
TLS
base
deployment
to
please
your
is
to
not
adopt
accuse
your
own
set,
handle
that
saying
good
keep
0
the
NSA
70
decades
and
commodified
sets
that's
fine
in
six
keys
we
can
just
probative,
it
is
a
setting.
It
has
a
DNS
based.
F
F
C
A
K
F
F
K
F
K
Know
I
thought
that
I
I
thought
I
was
agreeing
to
the
the
principle
that,
like
you,
would
provide
two
different.
Well,
not
two
different
certificates,
but
you
would
you
would
provide.
There
would
be
like
the
place
that
Citadel
puts
its
certificate
and
then
a
second
location
in
the
container.
That
pilot
agent
looks
for
certificates,
I'm.
F
O
K
F
F
F
L
M
Happy
that
way,
so
I
singles
of
this
alternative
awful
uses
a
customer's
own
say
to
probationers
beefy
ID
and
the
DNS
certificate.
Basically,
she
flow
responsibility
to
customers.
They
need
to
authenticate.
You
know
whether
this
certificate
issued
abhi
probation
or
denied
they
needed
to
authenticate.
As
a
charter
token,
they
needed
an
essentially
community
service
counter,
so
Google.
B
F
F
M
F
B
F
G
My
only
fine
is
like,
with
all
the
comments
back
and
forth,
he
would
have
paid
the
document.
Okay
and
we
are
only
targeting-
is
from
one
point,
three
I
think
it's
simply
enough
to
do
any
more
country,
okay,
okay,
one
thing
is
like
p21.
If
you
want
to
go
one
more
review
and
get
our
input
again
after
you
are
very
much
happy
to
have
a
fanmeeting
physio
us
piano.
I
B
F
B
G
G
F
F
J
B
Background
is
by
default
currently
in
steel
if
a
user
doesn't
specify
on
C
policies
for
their
services
there.
If
you
are
clusters
or
your
trust
amines
have
you
have
suppose
you
have
different
Testaments
right,
different
meshes
and
you
have
cross
match
calls
then
those
matches
they
can
share
the
same
route.
Suppose
they
are
sharing
the
same
route.
B
One
client
from
one
mesh
is
able
to
call
the
service,
see
another
mesh
and
the
service.
If
it
doesn't
apply
authorization
policy
correctly,
it
will
take
that
request
and
just
authenticate
it.
This
is
the
default.
Behavior
I
knew
we
had
internal
discussions
about
this
and
we
think
it's
security
risk
from
their
domain
isolation
perspective.
So
we
want
to.
B
We
want
to
enforce
some
domain
trust
domain
isolation
by
applying
special
apply
a
special
policy
on
the
authentication
filters
by
default.
So
what
this
proposal
is
doing
is
we
try
to
have
a
check
on
the
authentication
filter
which
is
by
default
on,
and
it's
going
to
check
the
request,
a
certificate
check,
the
trust
domain
in
the
certificate?
If
that
trust
domain
is
the
same
as
their
local
trust
on
me,
then
we
are
authenticated
and
let
it
go
through.
Otherwise
we
are
just
readin
I.
B
It
meaning
is
coming
from
untrusted
trust
domain,
even
though
you
are
able
to
verify
the
certificate
because
you
are
maybe
sharing
a
common
root,
but
we
give
their
users
a
way
to
disable
that
if
they
want
to
enable
the
cross-match
calls
it's
a
flag,
the
user
can
just
specify
a
flag,
and
then
this
check
will
be
turned
off
and
you
can
use
authorization
policies
to
do
better.
Fine,
grained
authorization
based
on
their
trust
domains.
That's
ID,
Centauri
to
folders.
B
Q
K
K
B
F
K
The
finger
on
the
screen
says
believes
it's
a
trust
domain
in
its
own
x.509
certificate
as
the
local
trust
Amane.
I'm
saying
you
can't
do
that.
You
have
to
have
it
explicitly
configured.
Oh.
B
K
I
Q
F
F
M
M
M
G
Q
B
G
F
L
B
F
K
F
K
F
F
F
F
K
K
L
K
B
F
It's
basically
extending
we
have
engage
where
you
specify
your
kind
of
things
about
TLS,
and
there
is
one
sitting
in
a
voice
that
we
don't
support.
Answer
proposes
towards
that
setting.
So
we
I
think
there
are
feedback
from
voting
and
you
know
needs
to
break
this
year
into
two
different
years.
Okay,
you
can
follow
it
down,
so
the
field
that
we
are
talking
about
is
verified.
F
F
F
B
L
F
D
F
Yeah
no
support
is
a
bodied
option
is
20
by
a
voice.
There
is
no
problem.
Is
economies
trusted
see
a
basically
a
finds
the
trusted
CA?
That's
the
part
where
we
wanted
to
postpone,
and
you
have
a
clear
understanding
about
how
having
a
different
dress
this
year
will
be
configured
in
environment,
separate
or
multi
cluster,
and
so
one.
F
K
F
Know
that
the
discussions
are
treated
having
and
that's
what
you
see
to
decide
right
now
for
this
particular
key
are
we
have
all
the
other
options
for
tiers
configuration
in
gateway?
It
wouldn't
make
sense
to
put
ceasefire
ideas,
so
I
mean
we're
not
running
to
deprecate
or
the
TLS
having
gateway
and
I.
Don't
think
we
can
split
some
fields
in
one
yes
for
sidecar.
We
probably
won't
even
have
the
discussion
until
that
USD
steps
in
any
sort
of
problem,
but
for
Jaitley
I
hope
we
can
avoid
the
discussions.
I.
F
F
F
F
This
PR
should
not
the
second
options.
Identify
is
PTI,
which
is
clear
in
the
separate
PR
we
will
discuss
first
of
all
status
right.
It's
not
clear.
It
needs
to
be
an
API
gateway,
adjust
the
configuration
option
in
college
like
Yama,
when
we
is
perfectly
because
it
evolves
mounts
includes
other
things.
It's
not
something
that
so
in
order
to
load
capacity
from
a
file
so
deployments
AIC.