►
From YouTube: Kubernetes WG IoT Edge 20191009
Description
October 9 2019 meeting of the Kubernetes IoT Edge Working Group
A
Hi
everybody:
this
is
the
bi-weekly
meeting
in
the
north
america
time
zone
for
the
kubernetes,
iot
and
edge
working
group.
As
a
reminder,
this
meeting
is
public
and
recorded.
In
the
end.
These
recordings
will
be
posted
to
youtube.
So
if
you're
not
prepared
to
have
that
happen,
drop
off
now,
we've
got
a
working
notes,
an
agenda
document.
I've
posted
a
link
to
it
in
the
chat
right
now.
I
only
see
one
item
nominated
on
the
agenda,
but
sometimes
we
end
up
discussing
other
things.
A
A
C
A
So
the
other
thing
I
guess
we
should
discuss
is
preparation
for
our
intro
and
deep
dive
sessions
at
kubecon.
It's
what
is
it?
I
guess
it's
about
a
month
away,
maybe
a
month
and
an
extra
week,
but
we're
planning
to
put
on
a
survey
of
the
unique
protocols
and
networking
that
go
on
in
edge
and
iot
scenarios,
something
that
many
of
these
go
a
little
beyond
classic
https
and
tcp
that
you
see
in
normal
cloud
data
centers.
D
A
Yeah
great,
because
what
I'd
like
to
do
there
are
an
awful
lot
of
tools.
Some
of
them
specifically
call
out
or
implement
abilities
to
work
directly
with
kubernetes.
Others
are
containerized
so
that
they
should
fit
into
a
kubernetes
scenario
without
too
much
effort,
but
others
kind
of
in
terms
of
their
documentation
are
more
indeterminate.
C
What
I
think
also
would
be
interested
is,
is
to
present
some
of
the
techniques
that
it
could
be
used
to
to
provide
a
useful
tooling
for
for
other
protocols
like
kilton,
as
you
guys
have
in
io
fog,
the
stack
for
the
bluetooth
and
and
and
how
you
call
it
hardware:
hardware,
abstraction
layer,
yeah,
yeah,
yeah,
cool
cool
yeah.
I.
A
A
Maybe
in
the
intro
we'd
go
into
a
list
of
protocols,
putting
them
in
categories
and
explain
what
they
are
and
what
they're
good
for
just
in
case,
somebody
has
an
edge
iot
app
where
they're
in
search
of
a
communication
method
and
then
in
the
deep
dive
portion,
we
can
go
into
what
tooling
is
available
to
actually
deploy
them.
Manage
them
get
observability,
run
them
at
scale
in
a
practical
sense,.
D
I,
like
the
structure,
steve.
I
think
it
would
be
a
lot
of
value
for
the
the
community,
then
to
get
a
survey
of
protocols
which
would
help
tie
up
something.
That
is
a
question
on
a
lot
of
people's
minds
as
they
enter
the
edge
environment.
Is
what
on
earth
am
I
looking
at
and
how
do
I
bring
it
all
into
a
big
picture,
so
cool.
A
Okay-
and
I
I
think
I
put
a
list
of
it-
I
tried
to
in
the
abstract
for
these
talks,
but
one
of
the
things
I
ran
into
very
quickly.
There's
a
900
character
limit
on
that
and,
as
it
turns
out,
I
believe,
there's
in
excess
of
50
of
these
protocols,
especially
if
you
go
into
commonly
used
industry,
specific
ones
that
you
know
in
many
cases,
perhaps
don't
have
a
software-defined
solution,
but
would
require
some
sort
of
a
hardware
gateway
device.
A
E
Hey
steve,
this
is
dan
khan
from
cncf.
I
wanted
to
just
briefly
introduce
myself
to
the
group
I
and
I
I
also
can
help.
If
there's
you
run
into
issues
on
the
kubecon
preparations,
but
on
the
landscape
question
and
answer
talking
through
them.
I
think
a
lot
of
folks
may
be
familiar
with
the
cncf
cloud
native
landscape.
I
just
pasted
a
tweet
into
the
the
chat
window.
Folks
may
not
be
familiar,
though,
that
the
linux
found
is
the
cloud
native
computing
foundation.
E
Has
a
sister
organization
in
the
linux
foundation
called
lf
edge
and
they
are
working
on
a
landscape
that
is
very
much
in
flux.
I
would
just
basically
say
that
they've
barely
begun
right
now,
and
so
there's
no
requirement
to
do
so.
But
if
some
folks
in
this
group
were
interested
in
working
with
this
other
landscape
to
to
try
and
list
in
those
several
dozen
projects
and
of
course
what
tends
to
be
most
tricky
is
categorizing
them.
A
That's
a
great
idea,
I
think
some
extent
for
some
of
our
prior
kubecon
presentations.
We
put
together
a
little
bit
of
that
sort
of
material
of
classification
in
categories
other
than
network
communications,
but
yeah.
If
we're
gonna
go
to
the
work
it
might
as
well
be
documented
and
put
in
a
place
where
people
can
easily
find
it
later.
E
Yeah
well,
and
what
is
nice
then,
is
that
it?
You
know,
there's
both
a
lot
of
marketing
in
this
document,
but
it's
also
an
interactive
landscape,
so
you
can
go
in
and
sort
by
location
or
by
funding
or
by
stars
and
most
recent
command
and
it's
kind
of
a
good
way
of
keeping
track
of
a
lot
of
technologies
or
projects
or
such
without
necessarily
making
value
judgments
about
them.
A
A
E
A
Yeah
because
I
think
a
lot
of
the
things
we
are
going
to
talk
about
or
already
have
are
over
there
in
that
niche
of
the
linux
foundation.
Already,
it
seems
like
in
the
category
of
iot
and
edge
it's
fragmented
across
a
number
of
foundations.
We've
got
representatives
on
this
on
this
zoom
today
from
the
eclipse
foundation,
so
there
are
a
lot
of
very
significant
things
that
live
over
there
as
well
in
in
the
cncf
and
other
niches
and
branches
of
the
linux
foundation.
A
E
Well,
definitely,
eclipses
is
separate
from
us,
but
I
will
just
point
out
that
the
landscape
itself
doesn't
care
it.
Just
you
have
to
put
the
organization
that
each
project
belongs
to,
although
it
can
be
a
non-profit
or
even
a
just
its
own
project,
but
the
yeah.
We
already
have
projects
on
here
from
open,
19
and
openstack
and
cncf,
and
the
open
compute
project.
C
A
A
I
should
have
thought
at
this
thought
of
this
at
the
beginning,
but
maybe
we
should
go
through
an
intro
round
for
any
newcomers
on
this
call
to
introduce
themselves
and
james.
I
don't
know
if
this
is
your
first
time
or
not,
but
if,
if
you
were
on
in
the
past,
I
don't
recollect
it
so
maybe
you
can
go
first
with
a
little
introduction.
F
E
E
E
It's
it's
definitely.
We
made
an
exception
here
where
cncf
has
an
end
user
community
of
about
120
top
companies
and
that
one
is
a
vendor-free
zone,
but
because
the
telco
world
works
differently
and
a
lot
of
the
intelligence
tends
to
be
with
the
vendors.
We
carved
out
this
as
a
separate
exception,
so
it's
intentionally
allowed
for
both
operators
and
vendors
to
collaborate
together.
F
Yeah
I'll
go,
can
you
guys
hear
me?
Okay,
yes,
okay
cool,
so
my
name
is
jeff
young.
I
work
for
a
startup
called
industrial
io,
we're
here
in
raleigh,
north
carolina
and
basically,
what
we
do
is
we
go
to
older
industrial
sites
and
integrate
with
their
existing
processes
for
either
ethanol
manufacturing
or
we'll
tap
into
their
power
management,
pull
in
their
data
to
our
data
lake
and
compare
what
they're
doing
to
utility
bills
and
help
them
save
money
and
one
of
the
challenges
we've
had.
F
F
A
F
G
Hey
everyone,
my
name
is
jeff
beck.
I
am
first
time
on
the
call
here,
but
been
kind
of
watching
the
work
you
guys
been
doing.
I
am
a
technical
product,
marketing
manager
at
red
hat
and
specifically
I
work
in
the
runtimes
unit,
but
before
joining
red
hat
I
was
actually
a
sales
engineer
for
thing
works.
G
If
you
guys
are
familiar
with
the
iot
platform
thing
works
bought
by
ptc,
and
before
that
I
had
a
couple
startups
in
the
iot
space
in
smart
buildings
and
energy
management,
so
I've
got
a
kind
of
vested
interest
historically
in
iot,
and
I'm
really
interested
in
kubernetes
running
at
the
edge
and
then
even
more.
More
specifically,
red
hat
is
supporting
a
a
new
product,
a
new
version
of
java.
G
That's
able
to
be
compiled
down
to
native
code,
so
I'm
really
interested
in
the
combination
of
kubernetes
or
java
running
in
containers
on
kubernetes
at
the
edge
for
pre-processing.
All
those
kind
of
things
so
just
excited
to
join
and
kind
of
listen
in,
and
I
will
be
at
kubecon
as
well
in
a
couple
weeks
too.
So
if
you
guys
have
any
need
any
help
there,
I
can
sign
up
for
some
stuff
as
well.
A
C
Oh,
yes,
maybe
I
think
so
yeah.
So
let
me
post
your
link
here.
So
that's
something
I
I
think
I
want
to
cover
a
little
bit
in
the
other
session
we
had
so
not
the
working
group
one
but
but
other
related
to
developing
the
the
microservices
but
yeah.
This
is.
This
is
like
a
a
java
framework,
specif
yeah,
aimed
specifically
to
to
create
a
a
cloud
native
okay.
H
So
this
is
my
first
time
in
these
meetings,
so
we
are
working
on
a
project
called
edgenet,
which
is
a
joint
project
between
usa,
the
us
and
france
and
canada.
So
we
are
partners
of
u.s
ignite,
so
we
try
to
create
an
edge
cluster
by
using
kubernetes,
and
now
we
are
working
on
a
feature
called
selective
deployment.
H
H
A
A
I
About
the
java
thing,
because
I
actually
had
a
question,
I
had
trouble
with
my
microphone,
which
was
the:
how
does
this
java
compile
down
to
native
machine
binary,
differ
from
some
of
the
micro
jbms
that
are
in
things
like
smart
card
technology
or
there's
some
trusted
execution
zones
on
uneven,
very
small
arm
controllers
that
run
trusted
kind
of
java,
applets
on
on
a
special
sort
of
enclave
and
in
an
execution
part
of
the
architecture
and
some
of
those
arm
chips
like?
What's
the?
G
You
know
this
is
jeff
beck,
I
don't
know
the
things
you're.
Speaking
of
so
I
can
only
kind
of
speak
to
the
the
corker
stuff,
but
it
utilizes
growl
vm,
which
is
a
project
open
source
project,
mostly
supported.
I
think
it
came
out
of
the
oracle
group
and
so
more
specifically,
it
uses
a
component
called
substrate
and
I
think
substrate
is
kind
of
the
catalyst
that
allows
it
to
compile
the
java
libraries
down
to
native
code.
G
Yeah
absolutely
so
let
me
let
me
level
set
a
little
bit,
so
this
quarkus
project
is
relatively
new.
It
is
incredibly
growing
by
incredible
leaps
and
bounds.
Version.
1.0
will
be
released
in
the
next
two
to
three
weeks
so
from
a
product
support
from
a
red
hat
perspective.
We
won't
be
supporting
this
officially
enterprise
support
until
later
into
2020.,
so
is
carcass.
Open
source
corcus
is
open
source.
Yes,
obviously
red
hat's
heavily
invested
in
it,
but
obviously
it
is
an
open
source
community
and
I
think
you
can
see
all
the
participants
there.
G
A
Have
people
encountered
any
licensing
issues?
It
strikes
me
that
if
you
utilize
java
libraries
pull
them
in
and
I
don't
know
if
you'd
call
whatever
this
does
compiling.
But
let's
say
for
sake
of
discussion,
you
compile
them.
Are
there
vendors
of
these
libraries
that
would
be
looking
to
get
money
out
of
you
for
doing
that?.
I
I
mean
essentially
it's
taking
it,
it's
just
taking
some
intermediate
byte
code
representation
and
then
native
compiling
that
hasn't
that
been
around
in
some
form
for
java.
As
far
as
aren't
there
aren't
there
byte
code
compilers,
I'm
not
the
java
person
I'll,
be
totally
honest,
but
I
mean
assuming
that,
like
the
same
way,
pi.exe
can
take
python
bytecode
and
compile
it
into
native.
You
know,
architecture
specific
binary.
I
mean
this
becomes
architecture
specific.
I
assume
right.
Quarkus
code
becomes
arm
specific
if
prepared
for
an
arm
execution,
environment.
G
That's
a
great
question:
I
yes,
it
has
to
right
in
the
end,
I'm
almost
positive,
so
I'm
not
sure
if
it's
gotten
to
the
point
where
the
maturity
where
it
can
be
deployed
on
arm
yet
I'll
have
to
look
and
see
in
the
details
of
that
not
an
expert.
So
I
don't
want
to
over
speak
on
that,
so
I'll
kind
of
let
the
website
speak
for
itself.
At
this
point.
A
G
I
think
what
you're
seeing
that
may
be
different
now
is
the
other
catalysts
in
terms
of
microservices
and
serverless,
and
those
kind
of
things
are
maybe
a
more
conducive
environment
and
you
know,
and
I'm
not
sure
what
this
means
for
iot
and
the
edge.
But
I
I
just
keep
thinking
about
the
potential
of
how
many
java
developers
there
are
out
there
and
the
ability
to
do
compilation
on
a
native
that
might
and
once
again
the
pre-processing
sounds
really
interesting
and
pushing
intelligence
further
to
the
edge
seems
like
an
interesting
marriage.
Potentially.
A
It
seems
like
a
good
call
for
some
of
the
cloud-native
technologies
that
come
with
kubernetes
too,
in
the
sense
of
needing
to
have
some
infrastructure
to
manage
it
and
process
updates,
because
dragging
in
this
myriad
of
potential
java
libraries
sounds
like
you
could
have
a
cve
per
week
and
need
to
have
some
solution.
That
really
enables
you
to
do
updates
pretty
easily
at
scale.
I
Yeah
I
mean,
I
think,
the
the
bigger
challenge
for
this
project
is
going
to
be
the
the
edge
cases
right
like
so
we
have
a
project
called
google
called
g
visor,
that
is,
you
know,
like
user
space,
kernel,
stuff
and
and
occasionally
you'll
hit
random
little
like
unimplemented
syscalls
right
like,
and
it's
pretty
good
like.
I
think
that
surfaces
is
very,
very
well
understood
that
linux
kernel
surface
and
so
g
visors
actually
works
quite
well
for
what
it
tries
to
do.
I
But
when
you
start
to
cover
every
kind
of
oddball
edge
surface
that
people
have
come
to
depend
upon
in
the
jvm,
how
many
programs
will
run
into
portability
issues
where
they've
relied
on
some
something
that
isn't
in
this
new
tool
chain?
Essentially,
but
that?
But
I'm
I'm
not
I'm
just
saying
that's
in
my
estimation,
that's
going
to
be
where
they'll
probably
be
some
speed
bumps
along
the
way.
They're
all
they're
all
workable,
but
I.
C
C
I
C
No,
no,
that's
that's
great,
but
I
mean
if,
if
it's
an
interesting
topic,
we
can
definitely
find
find
someone
to
talk
more
about
and
answer
all
these
questions
on
on
one
of
the
following
calls:
if
that's,
I
know
it's
not
kubernetes
strictly
kubernetes
topic,
but,
as
we
all
agree
here
it
it.
You
know
everything
that
that
brings
containerization
and
closer
to
the
to
the
to
the
devices.
It's
it's
a
it's
a
volley
topic,
so
if
you
guys
want
we
can
we
can
schedule
something
for
for
for
next.
I
I
Is
pretty
interesting
from
that
that
idea,
because
even
today
like
because
this
would
be
architecture
specific
one
of
the
things
that
gives
you
complexity
in
a
ci
tool
chain
is
that
you
know
you're
going
to
end
up
with
with
container
manifests
with
multiple
architecture,
specific
containers,
whereas
the
wasm
stuff
allows
you
potentially
to
have
truly
portable
binaries
anyway,
they're
all
in
the
space
of
like
what?
What
are
some
interesting
language.
Developments
for
constrained
operating
environments.
A
Well,
it
sounds
like
you
know,
for
this.
The
the
next
cube
con
we're
giving
a
survey
of
networking
related,
but
maybe,
since
the
proposals
are
going
to
be
due
for
kubecon
europe
fairly
soon,
I
think
they're
due
in
mid
november,
maybe
we
can
queue
up.
This
subject
is
our
topic
for
coverage
for
kubecon
europe
in
the
spring.
C
Yeah,
definitely
so
so,
with
with
the
other
session,
I
I
have
at
the
north
america.
I
want
wanted
to
scratch
this
topic
about.
You
know,
particularly
how
the
the
the
developing
services
for
the
edge
and
constrained
environment
differs
from
the
you
know
the
cloud
one
but,
as
I
said,
you
know
only
scratching
it
for
now.
Maybe
we
can
deep
dive
it
later
on.
A
I
I
do
actually
I
started
taping
out
and
I
never
finished
writing,
but
I
can
quickly
describe
what
I
think
would
be
an
interesting
piece
of
this
puzzle,
which
is
that
when
you,
when
you
use
something
like
cube
admin
right,
let's
just
kind
of
assume
cube
admin
might
be
somehow
in
the
mix
in
terms
of
provisioning.
The
initial
cluster
you
need
to
seed
the
configuration
of
each
node.
I
To
kind
of
you
need
to
pick
one
thing,
even
if
you
install
it
with
every
machine
having
an
identical
image,
you
still
need
to
pick
one
of
them
to
start
as
the
api
master
and
then
have
the
others
join
and
sort
of
this
there's
sort
of
this
quick.
You
know
how
do
you
pick
the
thing?
That's
going
to
be
the
thing
that
starts
all
the
other
things
right
and
so
there's
a
there's.
Yeah.
I
Sure
yeah,
but
I'm
just
saying:
okay,
you
can
get
a
you,
can
get
a
cloned
image
on
a
bunch
of
things
or
you
have
a
usb
installer
whatever
it
is
so.
But
to
me
one
of
the
interesting
hard
parts
on
the
bootstrapping
is
now
you.
How
do
you
get
this
cluster
started
and
most
of
the
cube
admin
sort
of
administrative
guides?
Talk
about
like
you
know,
start
this
one
and
then
get
the
token
and
then
put
the
token
on
the
other
one
so
that
they
have
the
way
of
joining
that
master
right.
I
I
So
the
idea
would
be
that
you'd
have
all
these
machines
sort
of
turn
on
and
use
something
like
something
honestly
pretty
arbitrary.
It
could
be
the
lowest
I
p
address.
It
could
be
the
lowest.
You
know
boot
time,
time
stamp,
but
something
where
they
all
multicast
out
broadcast
out
their
start
time
and
you
have
the
corresponding
listener
that
listens
for
everyone
doing
this
and
they
all
agree
to
pick
the
one
with
the
lowest
whatever.
I
A
A
I
Worthy
yeah,
no,
no,
it
seems
it
seems
a
little
yeah.
It
does
seem
like
a
bit
of
a
bootloader
like
idea,
it
maybe
feels
a
little
elaborate
for
just
the
bootloader
step,
because
I
think
kind
can
it
can
do
a
lot
more
right.
It's
designed
to
be
more
of
the
capable,
at
least
of
being
the
stateful
running
thing.
I.
A
Think
a
lot
of
people
gravitated
towards
it.
The
principal
use
case
that
I
think
got
attraction
was
developers
wanting
the
fastest
easiest
possible
way
to
bring
up
a
kubernetes
cluster
to
do
some
testing
on
their
laptop
kind
of
scenario,
so
that,
if
you're
working
with
anything
that
anything
with
a
docker
runtime
which
could
even
be
a
mac
or
windows,
you
can
quickly
get
a
kubernetes
cluster.
I
C
C
C
A
Now,
of
course,
I
suppose
pulling
everything
from
get
at
an
edge
location
presumes
that
you
have
access
to
a
get
repository
as
part
of
your
bootstrapping
process.
So
I
I
think,
actually
in
reality,
the
kind
would
probably
presume
that
you
have
access
to
a
docker
registry,
I'm
I've.
I
know
there
must
be
edge
scenarios
where
neither
of
those
are
getting
access
to
either
of
those
might
be
somewhat
problematic.
I
Yeah
this
mentions
it
pulls
everything
from
git,
so
it'd
be
interesting
enough.
Fire
cube
can
essentially
serialize
everything
offline
into
kind
of
a
single,
a
single
package,
or
if
it's,
if
it
requires
a
degree
of
dynamic
bootstrapping,
you
know
it
is
interesting.
You
know
it's
sort
of
like
nested
dolls
of
isolation,
which
this
idea
that
things
things
you
may
just
end
up
running
all
of
kubernetes
in
a
in
a
container
as
a
mode
of
isolating,
especially
if
you're
running
it
in
something
like
a
vm
or
g
vise,
or
something
for
true
isolation.
I
I
I
Coreos
is
still
really
a
thing
as
a,
and
I
guess
you
could
say,
there's
there's
sort
of
some
snappy
snappy
like
distributions,
but
even
even
in
with
those
I
think
they
were
still
much
more
than
the
kernel,
whereas
I
think
k3os
and
talos
are
basically
almost
nothing
but
the
kernel
and
kubernetes,
and
so
they're
really
sort
of
hyper-minimalized
os's,
which
are
basically
just
enough
to
launch
kubernetes
and
then
kubernetes
becomes
kind
of.
Everything
which
I
think
is
is
a
pretty
interesting
category
for
the
edge
right.
A
Well,
I
I
agree.
I
think
that
would
be
an
interesting
future
zoom
meeting
if
we
can
get
speakers
and
I'd
like
them
to
not
only
talk
about
their
architecture,
but
even
also
their
availability
for
different
processor
architecture
is
not
just
x86
but
arm,
and
maybe
things
other
than
arm
as
well,
because
that,
by
the
time
you're
looking
for
minimal
and
edge
that
certainly
comes
into
play.
F
F
C
I
So
I
actually
did
did
some
prototyping
with
this
and
they're
pretty
good
python
libraries
for
it
and
one
of
the
things
that
is
imperfect
about.
So
I
was
actually
trying
to
use
a
usb
fido
key
as
a
provisioning
key
for
devices
where
the
the
key
itself
is
actually
a
single
factor.
So
it's
for
a
headless
device
that
has
no
input
device,
and
so
you
would
use
the
key
as
a
sole
factor
of
of
authentication,
not
a
second
factor.
I
One
of
the
things
that's
okay,
but
not
great
about
it-
is
that
the
keys
are
associated
with
the
user
and
the
way
the
key
challenge
is
verified
is
without
any
key
id.
So
you
basically
try
all
of
the
keys
attached
to
that
user
and
see
if
any
of
them
match
the
one
that's
plugged
in
basically,
and
so
that's
limited
to
10,
I
think
10
or
20
per
user,
or
something
like
that,
because
it's
scaled
on
the
idea
that
it's
attached
to
a
person,
one
of
these
fido
keys
is,
but
I
did
get
it
working.
I
So
the
idea
was
that
the
I
was
using
it
to
actually
refresh
a
time
expiring,
temporary
key
on
a
device,
so
the
key
had
a
24
hour
expiration
and
then
what
would
happen
is
somebody
would
need
to
plug
in
the
fido
key,
and
it
would
refresh
the
token
based
on
that
challenge,
and
the
idea
I
had
in
in
the
kind
of
use
case
scenario
was
that
this
fido
key
is
kept
in
a
factory
environment.
There's
very
common
in
in
sort
of
these
industrial
environments
to
have
a
locked
key
box
right.
I
I
I
A
There's
this
anecdotal
story
that
a
san
francisco
bus
had
an
iot
device
stolen
off
the
bus
while
moving.
I
I
don't
personally
know
if
it's
true
or
not,
but
if
you
would
require
re-authentication
when
they
came
back
to
the
bus
barn
at
night.
That
might
prove
the
box
didn't
disappear
and
you
might
not
catch
it
within
the
first
few
hours,
but
you
could
catch
it
within
a
day,
so
there
there
could
be
some
value
there.
I
could
see
that
this.
D
D
D
This
is,
this
is
cool
because
I
see
user
association
is
is
a
is
a
big
challenge
with
machines
that
don't
have
a
keyboard
and
mouse
and
so
on,
and
this
would
be
a
great
way
to
say:
here's,
your
user
you're
authorized
it'll
work
for
the
eight
hours
or
on
shift.
That's
pretty
cool.
Now.
Remember
it
can't.
I
I
D
A
What
if
the
person
leaves
the
company,
we
couldn't
get
our
next
release
out,
but
it
served
its
purpose
well
and
the
the
the
reason
it
was
kept
in
the
safe
was
concerned
that
hackers,
if
we
left
it
permanently
plugged
into
a
system
and
hackers
took
over
that
system,
they
could
conceivably
put
out
software
in
our
name.
So
there
was
perceived
to
be
a
little
security
gain
by
keeping
that
thing
separated.
I
C
But,
but
from
little
that
I
read
on
free
fido:
is
that
it's
a
it's
a
plugable
outpost,
so
you
can
basically
use
it
with
any
other
kind
of
biometrics
if
supported
so
for
more
advanced
use
cases
it
can
be.
I
don't
know
fingerprint
or
or
voice
recognition
or
something
like
that.
That
will
generate
the
same.
C
I
Latest
revision
of
the
spec,
which
I'm
not
as
familiar
with
really
more
tightly
integrated
into
the
browser
and
into
the
browser
hardware,
so
that
the
like
there
it's
a
very
there's
like
it's
a
becoming
a
standard
called
the
web
off
flow.
But
that's
somewhat
coupled
to
web
specifics,
which
I
I
again
haven't
dug
into
this
newer,
newer
version.
But
it
seemed
like
it
made
it
less
compatible
for
devices
somewhat,
because
it
was
kind
of
making
assumptions
about
web
web
sessions
and
web
uis
user
agents
that
kind
of
stuff.
A
The
interesting
aspect
here
too,
is
how
it
fits
into
scenarios
where
you
might
be
running
virtualization.
I've
got
personal
experience
with
using.
I
think
it
is
a
fido
key,
just
as
part
of
my
two-factor
authentication
for
github
and
certain
other
things
and
with
the
hypervisor
I'm
using.
It
certainly
is
capable
of
a
scenario
where
you
plug
it
into
the
hypervisor
host,
but
go
through
an
added
step
of
choosing
which
of
the
vms.
It
gets
mapped
to.
I
Well,
I
think
you
know
like
at
one
point
as
dejean
was
saying
was
and
in
the
bootstrapping
and
provisioning
process
is
one
opportunity
and
then
and
then
I
outlined
a
sort
of
periodic
re-attestation
flow
and
then
kilton
was
talking
about
sort
of
user
association.
I
think
it
applies
to
all
three
of
those
scenarios.
J
D
That
makes
a
lot
of
sense.
I
would
actually
really
I
would
really
like
to
talk
and
and
and
mort's
you're
often
on
the
evening
session,
pacific
time
evening
sessions
the
the
alternative
sessions
of
this
working
group
meeting.
Would
you
be
interested
in
talking
about
that
workflow
in
more
depth,
because
I
feel
like
I
can
learn
a
lot
from
what
you
what
you
need
to
see
happen
in
this
process.
A
I
even
wonder
what
might
be
available
in
fido
keys
that
are
industrialized.
You
know
that
they,
I
certainly
have
the
consumer
grade
one,
but
for
a
lot
of
these
edge
locations.
I
think
people
are
typically
looking
for
the
one
that
could
go
hundreds
of
feet
under
water
and
be
exposed
to
fiery
temperatures
and
still
survive.
I
Yeah
I
mean
this
is
being
recorded,
so
I
can't
say
too
much,
but
the
you
know
google's
come
out
with
their
own
flavor
of
this
called
the
the
titan
fido
key,
because
we've
worked
with
yubico
on
developing
that
that
fido
standard,
so
google
employees
have
always
had
that
as
a
requirement
on
our
on
all
our
laptops,
etc.
But
the
the
google
flavored
version
of
it
uses
our
titan
chip,
and
that
was
something
in
part.
We
did
just
because
that
way
we
could
control
the
full
supply
chain
even
at
the
fab.
A
I
I
don't
know
as
far
as
certifications
go
I
mean
it's
certainly
something
that
is
is
stood
by,
but
I
mean
it's
it's
you
know
it's
all
crypto's
all
about
layers
right.
So
at
the
end
of
the
day,
there's
it's
a
random
number
generator
somewhere
in
hardware
right
and
then
you
have
crypto
primitives
on
that,
and
then
you
have
the
fido
protocol
on
that.
And
you
know
the
the
fido
thing
is
really
about
a
work,
a
flow,
that's
around
a
chat
like
a
challenge
and
response
type
flow
based
on
standard
crypto
primitives.
I
But
it's
still
this
sort
of
idea
that
you
as
a
user.
I
register
these
keys
for
use
and
then
the
key
and
the
app
will
will
do
this
little
dialog
flow
a
little
bit
like
oauth,
but
it's
fido
anyway.
So
that's
that's
just
another
piece
of
hardware
you,
I
think
yubico
and
and
google
are
the
only
two
real
fabricators
of
these
two
factor:
keys
evokos.
I
I
You
could
have
a
machine,
for
example
like
shut
down.
If
it
doesn't
properly
do
this
challenge
flow
every
hour
or
something
like
that,
it
does
require
a
centralized
service.
Though
right,
I
don't
think
I
don't
know
and
centralized
is
relative,
but
you
you
can't
do
this
purely
on
on
a
totally
isolated
edge,
because
the
the
public
keys
that
you're
associating
with
the
user
associating
with
some
entity
are
stored
in
a
service
that
the
app
needs
to
call
and
check.
Is
this
key
valid
right
whether
that
service
runs
on
prem
or
in
the
cloud
or
whatever?
A
I
got
it.
There
were
some
kind
of
hardware
devices
used
as
keys.
I
that
the
semiconductor
industry
had
a
decade
or
more
ago.
I
don't
know
if
they're
still
out
there,
but
I
think
they
were
used
in
the
high
grades
of
ul
certification
for
door
locks
and
access
control
and
things.
So
maybe
those
would
be
viable
to
put
into
in
a
scenario
where
you
had
to
be
air
gapped.
I
assume
those
things
still
exist.
A
A
If
we
can
get
some
follow-up
on
some
of
these
suggestions,
maybe
some
of
the
suggestions
were
mine
too,
but
as
always,
if
I'd
love
to
have
help
in
lining
up
even
speakers
on
some
of
these
specialized
topics
to
come
in
and
carry
this.
But
these
free-form
things
seem
to
work
out
okay,
but
I
think
we
should
maybe
strive
to
have
some
more
organized
things.
At
least
half
the
time.
D
Hey
steve
for
the
next
for
agenda
of
the
next
meeting.
Maybe
we
should
put
on
there
kind
of
putting
a
formal
outline
to
the
kubecon
north
america
talk.
It
sounds
like
some
good
stuff
is
emerging,
but
then
there's,
as
you
said,
way
too
much
material
so
to
fit
it
all
in.
Maybe
we
should
start
to
organize
it.
Yeah.