►
From YouTube: WG KMS Meeting for 20221129 (SIG Auth)
Description
WG KMS Meeting for 20221129 (SIG Auth)
A
So
hey
everyone:
this
is
the
cigarth
KMS
sub
project,
meeting
number
20
for
November
29th,
2022
I,
think
we
were
going
to
discuss,
or
at
least
top
of
mind
for
me-
was
discussing
items
for
127
and
sort
of
organizing
around
that.
A
So
some
like
bookkeeping
so
today
is
like
you
know:
Doc's
race
for
126.
what
that
means
or
dot
complete,
maybe
freezes
the
wrong
word.
But
a
week
from
today
is
Kota,
meaning
Master
will
reopen
for
127.
A
We
this
time
of
year,
is
really
weird,
because
a
lot
of
people
have
holidays
and
like
basically
as
soon
as
you
come
back
in
January,
it's
like
enhancements
freeze
so
like
it
seems
like
you
have
time,
but
you
don't
because
when
you
take
out
the
holidays
and
the
fact
that
you
come
back
like
sort
of
half
functioning
after
the
holidays
today,
there's
actually
no
time
at
all,
I
mean
you
actually
look
up
the
days
real
fast.
That.
A
C
A
Yeah
we
yeah
we,
we
have
to
get
the
kept
sort
of
in
a
more
complete
State,
because
right
now,
I
think
we
like.
We
omitted
the
test
plan
and
we
omitted
like
a
lot
of
the
graduation
criteria
just
because
we
were,
we
weren't
sure
what
they
were
going
to
be,
and
we
didn't
want
to
like
not
have
the
kept
Verge
for
like
what
was
it
like,
124
Alpha.
A
B
B
A
Okay,
so
looking
is
the
board
big
enough?
Should
I
like
zoom
in.
A
A
That's
nice
I
think,
okay
yeah,
so
we
will
get
those
in
pretty
shortly.
Those
aren't
big
things.
So,
let's
see
in
progress,
we
have
cash
stuff
which
we
want
for
for
v2.
A
This
one
is
not
a
big
deal.
It's
just
me,
refactoring
a
little
bit.
B
A
One
is
not
required
reference.
Implementation
is
probably
the
biggest
thing
that
we
have
for
127,
because
that's
sort
of
like
well,
it's
sort
of
how
we
plan
on
making
V2
good
right
a
lot
of
the
a
lot
of
the
stuff
that
we
want
to
be
present.
There
is
inside
the
weapons,
implementation.
F
B
F
A
But
I
think
initially
I
think
I
asked.
Was
it
on
European
asked
for
like
hey?
Can
we
have
a
link
here.
G
A
Yes,
human
beings
are
not
the
most
consistent
process.
Followers,
surprise.
G
A
They
look
better
pretty
fast,
so
that
one
is
the
bit
that
will
allow
us
to
do
rotation.
C
A
The
the
bit
that
this
sort
of
relates
to
for
KMS
V2,
for
me
is
this
part,
which
is
I
wanna
I
wanna
have
a
conformance
suite
that
is
not
run
on
every
PR,
so
you'd
have
to
manually
invoke
it,
but
the
only
difference
about
the
suite
would
be.
It
runs
with
encryption
on
and
it
just
runs
a
regular,
conforming,
Suite
and
I
think
what
I
would
want
that
to
do
is
use
like
the
reference,
implementation
and
encrypt
everything
like
is.
Is
it
reasonable
to
have
a
functioning
conformant
cluster
with
everything
important
right?
B
E
A
So
I'm
just
talking
about
the
existing
tests,
we
have
right.
Okay,
so
I'm
not
familiar
exactly.
You
know
like
how
they're
defined
and
where
they're
set
up,
probably
somewhere
inside
of
test
info,
but
the
idea
would
be
to
define
a
new
one
that
basically
reuses
the
bulk
of
the
logic
of
the
existing
ones.
A
Sure,
but
also
uses
encryption
at
rest.
I
have
basically
no
idea
how
you
get
like
the
actual
code
for
the
reference
implementation
in
there,
because
it
has
to
be
like
a
go
binary
to
compile,
and
then
you
like,
invoke
it
and
make
it
hold
a
UDS
for
you.
A
Yeah
we
would
have
to
I'm
trying
to
think
we
also
would
want
it
to
like.
If
you
make
a
change
to
the
reference
implementation,
you
should
be
able
to
use
this
test
Suite
to
validate
that
you
didn't
break
it
in
some
horrible
way
like
at
a
high
level,
but
that
that
would
mean
that
it
would
need
to
like
compile
and
build.
The
reference.
Implementation
example
thing
like
as
part
of
like
the
pr
pipeline.
Somehow
all.
B
A
So
that
that
part's
there,
this
one
is
basically
and
this
one
is
basically
all
of
KMS
V2
in
a
bucket
I'm,
not
too
worried
about
that.
One.
B
A
So
we
don't
need
this
right
for
beta.
We
don't
act,
we
don't
have
to
maintain
the
debt
cash
right.
This
is
more
of
a
not
like
it.
Conceptually
makes
sense
for
this
to
work
right
like
it's
weird
that
you
reload
and
throw
away
the
whole
cache
that,
like
doesn't
conceptually,
make
sense,
but
it's
not
a
hard
requirement
right.
C
A
Right
right,
so
you
you're
not
gonna
lose
like
your
watch
cash
that
would
be
retained,
you're
just
losing
the
debt
cash.
So
if
you
try
it
read
some
data,
it's
not
going
to
be
able
to
immediately
do
it
without
talking
to
the
camera,
let's
plug-in.
First
I.
Think
that's,
probably
fine,
like
fine
in
the
sense
of
like
I,
don't
feel
the
need
to
say
that
cam
sv2
is
not
beta
without
this,
like
I
I
feel
much
more.
A
A
This
one
I,
don't
know
I'm,
not
100
sure
if
I
hop
strongly
I
feel
about
this
one.
This
one
is
explicitly
asking
for
it
for
like,
so
we
have
I
think
two
integration
tests
today
that,
like
specifically
exercise
like
having
aggregated
API
server
and
I'm
doing
specific
stuff
with
it
playing
around
with
this
resources,
so
it
would
be
good
to
validate
the
encryption
at
rest
works
for
it.
A
But
this
is
generic
for
Canada.
It's
like.
We
should
already
have
this
test,
in
a
sense
all
right,
I
guess
this
is
not
even
about
KMS.
This
is
about
encryption
at
rest
in
general,
so
I'm
less
sure
if
this
is
a
beta
blocker
for
a
circus,
just
a
thing
that
we
want
to
do.
B
A
B
E
B
E
A
A
E
A
B
E
B
A
A
Okay,
yeah
so
I
think
what,
with
with
the
so
now
did
these
say
encryption
at
rest.
There
right,
I,
think
I
would
be
able
to
say
the
same
thing
here
right
is
that
it's
not
a
beta
blocker
for
kmsv2,
because
this
metric
is
about
automatic
reload,
which
is
a
useful
feature
for
encryption
at
graphs.
But
it's
actually
not
related
to
the
kmsp2
stuff,
like
it's
related
in
the
sense
that
they're
all
relating
to
each
other,
but
not
exclusively.
E
A
A
So
the
metric
is
supposed
to
be
how
you
understand
that
the
API
server
caught
up,
because
that's
all
you
have
today
or
if
the
only
thing
you
have
today
is
API
server
logs
the
metric
would
be
an
easier
version
of
that
and
then
the
storage
version
stuff
is
like
sort
of
the
end
State
version
of
that
where
you
you
have
like
a
nice
structured
API
without
super
statements.
A
I
think
this
is
in
that
same
bucket
right.
It's.
B
E
This
one
is
to
like
we
have
like
another
comment
from
Jordan
and
we
I
think
this
is
more
like
an
exploration
than
a
requirement.
I
guess
like
what,
if
we
use
this,
then
how
the
performance
will
differ
and
things
like
that.
A
A
We
have
the
ability
to
actually
have
rotation
without
restarts
with
chemistry
2,
because
the
API
server
is
actually
aware
of
these
changes.
We
have
encrypting
everything
which
would
then
actually
allow
us
to
write
such
a
test.
Suite
that
has
everything
encrypted
that
can
use
the
reference
implementation.
A
B
D
A
A
Yeah
I
haven't
looked
at
it
recently.
I
assume
you
ended
up
needing
some
kind
of
controller
Loop.
D
Yes
also,
there
were
huge
changes,
so
the
test
coverage
dropped
because,
following
your
the
comments,
quite
a
lot
changed
and
I
think
Toyota
better.
Definitely
the
better.
The
code
looks
now
a
lot
nicer.
A
Okay,
so
let's
see
thinking
through
that,
normally,
what
I
like
to
see
for
controllers
is
like.
A
Basically,
two
styles
of
tests,
I'd
like
to
see
for
controllers:
one
are
tests
that
just
run
the
main
sync
Loop
like
once
or
some
specific
number
of
times,
depending
on
the
test,
and
then
they
like
sort
of
make
assertions
about
what
the
control
Loop
did
during
that
time
like
it,
you
know
made
these
rest
calls,
or
did
this
or
whatever,
and
the
other
kind
I
like
to
have
is
ones
that
run
the
controller
a
little
bit
further
out,
and
so,
instead
of
running
it
directly
like
they
actually
run
the
go
routines
right.
A
Just
like
fully
like
you
would
actually
run
a
controller
and
what
they
say
is
like
all
right.
You
started
at
this
state
because
of
that
I
expect
you
to
converge
at
this
state
within
some
small
time
window
right,
so
they
don't
look
at
the
individual
events
in
the
middle.
They
just
look
at
the
start
of
the
game.
The
assert
that
you
made
it
there.
Those
are
sort
of
the
two
styles
of
controller
guys
I
like
to
have
like
the
first
one
tells
you
like.
A
If
I
have
this
starting
point,
I
will
immediately
do
this
next
step
and
it's
I.
Can
you
know
understand
that
that's
going
to
do
it
and
that
that
will
give
you
really
precise,
like
ins
and
outs,
but
what
it
doesn't
tell
you
is
like.
A
Do
you
have
weird
race
conditions
that
the
race
detector
will
notice,
because
the
only
way
the
race
detector
notices
anything
is
if
you
actually
run
separate,
go
routines
and
let
it
do
its
thing
and
converge
onto
some
state
so
like
those
are
the
sort
of
the
two
styles
that
I've
tend
to
see
is
that
am
I
making
sense.
D
Yeah
definitely
one
question:
for
example,
the
controller
only
Acts
when
we
did
millions
of
of
encryptions
or
the
week
passed
so
should
I.
Basically
like
one
of
the
comments
was
to
make
it
configurable
to
configure
it
down
to
maybe,
instead
of
one
week
to
one
minute
or
anything
like
that.
But
then
it
would
create
a
test
that
at
least
takes
one
minute
and
on
the
other
side
should
I.
Maybe
change
the
the
threshold
for
for
encryptions
done
and
then
make
this
somehow
configurable
for
the
test.
A
So
I
I
think
what
you
would
want
is
like,
maybe
ignoring
configuration
from
the
outside
from
the
public
apis
for
now,
but
make
it
so
that
at
least
internally
their
private
variables
on
the
struct
that
has
a
state.
So
that
way
you
can
tweak
it
inside
your
test.
However,
you
want
to,
and
also
I
would
want
to
use
the
clock
interfaces
that
we
get
from
the
API
Machinery
packages.
D
Okay,
yes,
I
would
definitely
look
up
API
missionary
and
the
clock
interface.
But
what
do
you
mean
by
changing
the
private
values,
because.
A
So
because
the
test
is
in
the
same
package
right,
it
can
mutate.
Okay,
so
so,
like
you
know,
you
would
have
like
a
a
like
what
you
call
it
like:
a
a
private
new
function
that
lets
you
pass
in
all
the
parameters
that
you
want,
and
then
you
have
a
public
new
function
with
a
capital
and
that
doesn't
let
you
pass
right.
So
it'll
use
like
a
real
clock
and
a
real
all
the
real
constants
as
its
input
and
the
outer
the
outer
package.
A
You
know,
like
an
external
consumer,
can't
tweak
those
yet
and
we
can
figure
out
what
apis
we
want
to
support
going
forward
there,
maybe
at
a
later
date,
so
we
don't
have
to
like
decide
on
like
our
public
API.
At
this
exact
point.
A
I'm
not
saying
that's
like
the
greatest
way
of
doing
code.
It's
just
the
relative
pattern
that
we
have.
It
works
works,
okay,.
D
Okay
good
to
know
because
usually
it's
it's
a
kind
of
a
code
smell
or
something
like
that
right.
That.
A
Yeah,
this
is
by
no
means
the
worst
thing.
I've
ever
done,
I've
done
so
many
words.
Much
worse.
I
I
have
used
the
unsafe
package
and
tests
before
to
poke
at
things
that
weren't
supposed
to
be
pokable,
because
the
whatever
thing
that
I
was
poking
at
the
library
author
decided
that
I
wasn't
allowed
to
poke
at
it
and
I
was
like
it's
not
helpful,
like
the
go.
A
A
So
like
to
give
an
idea
what
I'm
thinking
here
right,
it
would
be
everything
would.
B
Be
set:
that's
that
all
these
services.
A
B
A
G
F
C
G
Like
I,
don't
know
like
the
hot
reload,
stuff
and
storage
migration
and
stuff,
like
I,
think
those
should
be
tested
right.
Whether
or
not
you
need
the
reference
reference
implementation
to
test
that
that
I
don't
know.
A
Right
right
so
so
certainly
like
I
would
expect,
like
a
add,
new
integration
test,
that.
A
All
right
so
today
we
have
like
the
base64
encrypting
thing
that
is
like
a
well
I
forget
exactly
how
it
works,
who
haven't
looked
at
a
long
time,
but
it's
not
using
any
of
the
reference
implementation
right.
A
So
we
we
would
want
integration
tests
at
that
level
and
those
could
exercise
much
more
fine
details
about
the
reference
implementation
if
we
want
them
to
or
or
some
aspect
of
chemistry
too,
that
either
e
I
don't
expect
us
to
have
really
much
control
over
the
internals
right,
because
you're
you're
just
going
to
have
a
real
API
server,
real
EBS
and
everything
right.
So
it's
yeah.
G
So,
do
you
foresee,
like
hard,
reload
and
storage
migrations,
be
part
of
this
new
integration
test
Suite.
A
A
Hey
mice
key
has
changed
right,
and
so
like
the
next
time,
you
call
me
don't
like
don't
expect,
like
you
expect
your
reads
to
be
considered:
stale
right!
That's
the
issue
that
you
have
data
to
implement
that
part
right.
A
So
once
once
you
have
that
you
don't
like,
you
could
reasonably
just
set
up
KMS
V2
with
one
config
and
never
change
it,
even
as
you're
rotating
keys,
because
the
plugin
can
be
like
polling,
basically
like
the
key
vault
and
be
like
hey
what
key
should
I
be
using?
What's
like?
What's
the
status
like
what's
my
status
and
if
it
changes
that
information
flows
up,
so
you
don't
actually
need
to
change
and
config
right
so,
like
you,
don't
actually
need
automatic,
reload
or
hobby
load
for
KMS
V2.
A
It's
actually
much
more
important
that
we
want.
Does
that
make
sense.
A
I
mean
automatic
reload
you
can
use
today
without
even
using
KMS.
You
can
use
the
local
keys.
G
A
A
I
mean
it
is
like
did
write
one
at
least
one
integration.
No,
no,
there's
like
at
least
two
integration
tests
for
this
they're
tested
in
like
different
ways,
but
they
they
test,
like
the
hot
reload
feature
like
if
you
change
the
file
like
this.
Does
it
change?
If
you
change
the
file
like
that,
it
doesn't
change
that
reminds
me
of
like.
We
probably
need
an
issue
for
the
gaps
right,
there's
one
where
we
we
had
a.
E
Or
the
same
link
yeah
like
yeah
I'm,
still
finishing
up
that
like
additional
test
PR
and
before
sort
of
making
it
concrete
I
want
to
just
thoroughly
test
it.
But
we
can
act.
Probably
now.
A
A
Yeah
so
store
is
migration
fits
in
very
specifically
because
what
we
were
saying
is
if
there
we're
saying
that
you
know
if
you
have
some
way
to
observe
API
server
state,
if
we
don't
have
an
API
for
today,
but
let's
say
just
say
you
do
then.
A
A
A
Lives
in
backlog,
so
I,
I,
guess,
storage
migration
is
not
part
of
beta,
mostly
because
the
stuff
we
depend
on
isn't
ready.
Yet
you
only
have
like
small
pieces
of
it
right,
but.
A
B
B
A
A
Encryption,
arrests,
the
whole
the
whole
concept,
which
makes
sense
to
me
because
it's
like
not
observable
from
the
outside,
so
it's
kind
of
hard
to
have
a
conformance
test
that
says
anything
useful
about
it,
so
I,
I,
I'm,
like
for
like
I'm,
not
sure
like
this
like
applies
and
like
this,
is
also
unclear,
because
these
are
not
endpoints,
because
the
grpc
API
doesn't
actually
meet
the
normal
things
right.
It's
like
this
weird
thing
we
can.
We
can
call
them
endpoints
just
and
be
like
yeah
we're
just
going
to
treat
them
that
way.
A
H
G
H
G
Link
to
that
issue
that
you're
creating
and
then,
if
you
go
to
like
rollout
upgrades
and
rollback
plans,
it
says
we
also
need
to
update
that
before
data.
G
If
you
yeah
roll
out
updates
and
roll
back
plans,
it
says
this
section
is
incomplete
and
we'll
be
updated
for
them.
Beta,
milestone.
G
Well,
these
are
oh
yeah,
yeah,
specifically
called
out
for
beta.
A
Yes,
anyway,
I
don't
disagree
there
I
just
it's
an
incredible
amount
of
work
to
even
think
about
what
to
write
for
such
a
scenario
right
all
right.
A
A
Just
putting
it
that
would
almost
certainly
be
available
so
for
storage
migration.
We.
B
A
C
A
A
G
B
E
A
A
Yeah
yeah
I
mean
I'm.
I
am
hopeful
that
we
can
get
this
to
Beta.
A
Well,
there's
a
big
asterisk,
I,
I
think
I
think
it's
that
rest
apis
are
not
enabled
at
the
beta
level
by
default.
I
think
this
one
is
weird
because
there's
a
feature
that's
beta,
but
then
also
an
RPC
API,
that's
beta,
but
it's
not
a
rest
API,
so
I
don't
know
I
I.
We
should
just
ask
we
should
just
we
I'll
just
add
this
as
an
item
for
the
agendas
like
which
way,
which
way
should
that
go
and
hopefully
Jordan
you
can
provide
us
some
guidance
song
from
the
API
review
side.
So.
G
A
Okay,
so
I
have
two
items
for
next
week.
It's
good
I
realized
we're
like
at
the
end
of
the
meeting
Christoph.
You
still
have
a
few
minutes.
I
wanted
to
talk
to
you
about
the
reference
stuff.
A
The
I
think
the
specifics
I
wanna
figure
out
is
like
how
we
can
like
how
we
can
start
merging
things
basically
and
I
think
the
easiest
thing
might
be
is
to
like
basically
break
it
up
into
like
really
tiny
chunks
that
are
like
small
enough
that,
like
it
takes
like
30
minutes
or
maybe
even
merge
instead
of
like
the
whole
thing
at
once.
A
So
like
I
I,
think
the
smallest
piece
that
wouldn't
do
anything
yet,
but
it
would
be
a
piece,
is
the
the
part
that
takes
the
grpc
API,
like
that
horrible
ugly
generated
thing
and
then
wires
it
against
the
more
nicer
go
interface.
That's
it's
basically
the
same
interface
but
like
smaller
that
you
know
that
service
interface,
that
we
have
I.
A
D
Passed
through
so
does
the
JPC
doesn't
generate
an
interface
that
we
could
use.
D
Isn't
there
already
an
interface
generated
by
the
grpc?
What
would
be
the
benefit
of
creating
another
interface
that
does
more
or
less.
A
The
same
so
we
we
have.
B
A
D
A
A
Yeah
so
I
I
think
like
so
we
we
have
I'm
trying
to
remember
where
it
exists,
so
we
have
on
the
API
server
side
and
the
client
side,
the
client-side
grpc.
That
then
just
basically
like
implements
this
interface
I
think
am
I.
Remember
that
Niche
yeah
yeah
it
implements
this
interface
and
I
I.
A
Think
on
the
server
side.
So,
on
the
plug-in
side,
I
think
we
would
want
to
take
the
server
side,
RPC
and
use
one
of
these.
So
it's
just
good
it'll
actually
end
up
being
used
both
in
client
and
server
and
I
think
it
would
work
just
fine.
It's
obviously
like
different
implementations,
that'll
be.
A
But
I
think
that's
kind
of
what
I'm
hoping
for
is
like
the
starting
point.
That
should
be
super
small
super
easy
to
merge,
and
then
then
we
can
start
like,
for
example,
like
one
of
the
implementations
I
want
from.
For,
for
this
interface
is
we?
We
you'll
see
this
a
lot
in
the
kubernetes
auth
code,
the
concept
of
a
delegate
where
you
have
an
interface
that
does
a
small
amount
of
thing
and
it
immediately
delegates
to
a
different
implementation
in
that
same
interface.
A
So
one
implementation
I
want
for
this
is
one
that
adds
delay
like
an
arbitrary
mining
delay
right.
So
that
way
we
can
have
like
an
implementation
that
uses
a
local
key
and
that's
one
static
implementation
and
have
another
one
that
just
arbitrarily
adds
delays
to
all
these
calls
and
then
delegates
to
some
other
one
right.
So
that
way
in
our
in
our
test
environment
right
then,
when
we
want
to
build
out
the
implementation
we
we
just
layer
them
together
in
the
specific
way
we
want.
D
You
know,
because
I'm
I'm
not
familiar
with
all
the
all
the
solutions
about
the
solution,
space
within
kubernetes
that
were
so
something
that
so
a
concept
that
might
be
very
familiar
to
to
anage
and
you
it's
like
completely
alien
to
me.
So
it's
sometimes
hard
for
me
to
visualize
what
you
mean
but
I'm,
eager
to
learn.
A
So
like
to
give
you
an
idea
so
in
in
the
kubernetes
off
stack,
we
have
this
interface
called
like
authenticator.request.
It
just
takes
a
request,
object,
yeah,
I,
I,.
A
A
Yes,
it's
probably
all
of
me
somewhere
in
there
right,
but
so
the
gist
of
you
know
like
so
this
you,
as
you
can
see
right.
This
new
function
takes
an
authenticator
and
just
returns
a
different
authenticator
and
all
it's
doing
is
it's
calling
its
delegate
right
this
guy
and
then
it's
like
hey
I,
want
to
add,
like
one
group,
The
authenticated
group
and
then
I'm
gonna
pass
it
back
right.
A
So
if
you
change
in
in
this
example,
if
you
change
the
request
authenticator
to
the
that
service
interface,
you
can
imagine
a
implementation
of
the
service
interface.
That
literally
just
adds
time.sleeps
to
all
the
calls
and
then
calls
the
delegate
right.
So
that
would
be
basically
an
implementation
that
adds
arbitrary
delay
right,
but
it
doesn't.
It
doesn't
care
about
what
it's
delaying.
Those
are.
It's
a
separate
concern
right,
so
so
we
could
have,
we
could
add
delays
to
any
different
implementation
that
we
wanted
for
any
purpose
right.
A
So,
however,
we
feel
right,
so
you
could
have
a
local
key
based
one,
a
hardware
hardware-based
one
whatever
you
want
right
like
if
you
have
any
of
those
but
with
delay.
If
you
wanted,
that's
just
like
one
other
thing,.
A
Of
why
I
want
this
interface
to
be
used,
because
I
expect
there
to
be
a
few
implementations
of
this,
some
of
which
are
Standalone,
some
of
which
are
like
sort
of
glued
together
more
in
more
elaborate
ways,
either
for
test
purposes
or
for
the
real
one.
All
right
like
we,
we
will
need,
like
a
quote,
unquote
real
one
right,
that's
being
used
in
the
Eatery
conformance
in
some
way,
shape
or
form
right.
A
I'm,
not
I
I'll,
admit
I,
haven't
fully
thought
through
exactly
what
that
code
looks
like,
but
in
in
some
way
shape
or
form
right,
like
you
should
be
able
to
say,
I
have
my
remote
KMS
that
implements
this
interface
and,
on
top
of
it
I
add
a
key
hierarchy
or
I.
Don't
add
a
key
hierarchy
right
and
if
you're,
if
your
remote
KMS,
is
actually
a
local
piece
of
Hardware,
you
don't
need
the
key
art,
because
the
local
hardware
doesn't
have
like
Network.
A
I
o
Associated,
it's
just
basically
as
fast
as
your
machine
can
do
encryption
which,
like
on
the
modern
Intel
processors,
active
really
fast
because
they
have
dedicated
hardware
for
it
right
am
I
making
sense.
That's
that's
kind
of
like
the
high
level
plan
I
have
for
this.
Is
that,
like
we
have
a
bunch
of
different
implementations
of
this
interface
and
we
glue
them
together
to
sort
of
give
you
the
ideal.
That's
right
like
so.
A
You
know
for
Azure
key
Vault
we're
going
to
use
the
key
hierarchy
in
a
remote,
like
you
know,
obviously,
in
in
the
Azure
implementation,
we'll
import,
the
Azure
SDK
implement
this
interface
using
the
Azure
SDK,
but
then
layer
on
top
of
it.
The
key
hierarchy,
obviously
not
layer
delays
on
there,
because
that
would
just
be-
and
that
would
be
awful
I
would
just
be
messing
with
customers
for
funds.
A
That's
kind
of
the
thought
I
have
right
and,
and
hopefully
we
can
set
up
the
code
in
a
way
that,
like
we,
can
all
work
on
this
at
some
amount
together,
so
that
way,
yeah
I,
ideally
we
start
merging
stuff
next
week
and
then
I
I'm,
okay,
I'm.
A
Okay,
if
we
need
to
like
make
issues
that
say:
Hey
I,
I
added
this
small
piece
and
initiated
this
small
piece
now
those
two
small
pieces
are
there
now
I
have
to
write
this
test
right,
like
it's
okay
like
if,
if
we
split
it
up
enough
that,
even
if
not
everything
can
have
like
the
integration
test
like
everything
should
be
able
to
have
some
kind
of
unit
test
pretty
easily.
But
it's
okay.