Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
ROS 2 / Security Working Group / 16 Sep 2021
ROS 2 / Security Working Group / 16 Sep 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: ROS 2 Security Working Group 2021 09 14 at 06 02 GMT 7

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

All right folks, um so recording has started. So anybody on the call have any uh topics to bring up.

B

Not from my end, uh maybe just a quick update that this big ss11 support, work is going forward and I think iker would be the better person to give the actual update on the work. But but it's it's going as as scheduled and uh and also as designed and and we are expecting to see results by the end of the year. um But probably even sooner.

A

That's excellent: um do you guys need a you know, interim or any sort of preliminary review of anything anything we can help.

B

Out with yeah, maybe I think it's a bit early right now. Still there is nothing concrete yet, but I think um yeah. Maybe it would be actually a good idea, especially when it comes to the um integration with actual asros on this. So so right now the focus has been on the dds side fully, but but eventually we need to start thinking who and what uh to do on the sros site.

A

Understood yeah, um I certainly love to help out as much as uh possible. You know the security canonical security teams, so you know whatever whatever you're ready, you know feel free to reach out to me uh or jeremy uh and um yeah. We can certainly certainly love to help out.

B

Yeah awesome awesome, yeah, I think in october we are already in a place where we could have some kind of uh early early version to at least test on our our premises, but yeah, let's see I, I think this needs also some discussion with iprosima how much the thing is in october.

B

Okay, awesome, exciting.

A

All right, any other updates or questions concerns topics.

B

um Actually, another side comment uh that is not really added in the item, but uh I've been working on on this external ca set up uh based on the document that uh sid faber started before he left. There's a drafting google docs.

B

um I don't have a link in hand right now, but basically he started to document how you can create your own ca, um right, root, ca and also the intermediate ces for permissions and and identity.

B

um So, instead of using the self-signed certificates and cell science case that that esros creates today, you could use those manual steps to create, so I've been trying to create a setup according to those instructions, and it's still not fully working. I get the authentication working and encryption is working, but but for some reason I'm unable to sign the permissions file um correctly. So I was thinking. Maybe if, when I get this working, I could make some kind of a demo and maybe continue this documentation that started.

C

So, to what extent does does that involve is just um creating your root certificate authority and placing it in the proper location, the key store and using the rest.

B

Of this ross.

C

To populate the uh cryptographic material.

B

Yeah exactly so, the esros would create us, the um the node or or or the domain participant key and certificate request. And then I I've been using google cloud, um this certificate service uh to run the cas, but basically, of course it can't be any any pki system. So um I don't know if, like what's the common opinion like, I find it a bit clumsy that esros today creates this whole japan uh automatically like it, creates the local cas and self-signed certificates.

B

So I don't know, maybe it would be convenient to think if this could could be done so that it only creates those those certificate requests and then you can integrate it with any pki system. You want, or at least give an option to do so. If somebody wants it's just like my person.

C

Yeah, so the um key framework uh I wrote before we did uh worked on s ross called the key mint and app armor took a sort of a closer approach to what um like any kind of build tool or build system, might make you like intermittent material.

C

So um it's still sort of like this file system kind of approach of of managing uh certificates, but it like generate you can ask it to generate the intermittent material with like certificate uh requests that that you could hand to signing requests that you could hand to other infrastructure to complete.

B

Okay,.

C

Those transactions.

B

I'm thinking.

C

We could do something similar in sros, where um maybe we add additional flags to to generate partial key material. That's um then deliverable to something some other infrastructure.

B

Yeah exactly sounds good and pretty much what I had in mind, because I think the current current coach does already everything we wanted to do. It's just like splitting the process a little bit in pieces of that the self-signing and something like this is optional. If the user doesn't want it to happen,.

C

But was there a technical issue, you're hanging up on and using a different route authority substituting it your own? Was it like.

B

Yeah yeah, for some reason when I, when I sign the um permission file, I'm using openssl and doing the s mine as mime signing when I give this permissions xml file and p7 file for the uh for. For my ros note, it fails to start it's giving some kind of uh well. I've been getting different kind of errors, but I think most.

C

Of them so some of the other dds vendors like rti or prosima, they do have on their documentation portals the exact um open, ssl incantate again like black magic incantations that you have to feed to.

C

um S mime certificate signing. uh You can actually look at like the s rosco. That tells you the exact flags that we had to force it to use. Okay, there's a little nuance there. My last idea is that sometimes we've had issues. We still have the issue with the certificate max size limitations.

C

So if your root certificate authority is somehow huge because it's got a lot of metadata in it, that's going to get embedded in the as the public key within the certificate authority chain of the client certificates, and that could be so fat that maybe it couldn't fit over udp packet.

B

Okay sounds good, yeah I'll check the code um yeah when I have time- and it sounds good like um this- is quite a recent recent problem, so I haven't really put too much time to tackle it yet, but that's why I haven't also raised that up in the matrix or anything sounds good. I take these uh instructions and see what it gets me.

A

Excellent yeah, I pasted a link uh to our the thing you're, referring to that's drafted. I put that in the agenda and also in the chat here so yeah. If there's any room for improvement on there, let us know we can work here as well.

B

Yes, sir, you sure yeah I'll dig it up and send it to my matrix or something excellent.

A

All right folks, anything else.

A

Great uh thanks for joining- and I hope you guys have a great week and we'll talk to you soon,.

A

Thank you.

B

You.