Re: Question about gokey password generation?


Zeng, Tingyu <tingyu.zeng@...>
 

Sure will do.

Thanks
Tingyu

________________________________________
From: Tony Espy <espy@...>
Sent: Tuesday, April 14, 2020 10:44 AM
To: Zeng, Tingyu; EdgeX-TSC-Security@...
Subject: Re: [Edgex-tsc-security] Question about gokey password generation?

[EXTERNAL EMAIL]

On 4/14/20 10:31 AM, Tony Espy wrote:

On 4/14/20 10:29 AM, Tingyu.Zeng@... wrote:

Tony,

The link to the issue can be found here:

https://github.com/edgexfoundry/edgex-go/issues/1946

This issue was triaged at the end of last year by the group and it
was decided it is no within the scope of Geneva release due to
reasons below:

1. The move towards of Redis database and leaving Mongo
2. Prefer to use built-in Vault as database generator for Redis
3. Such issue needs to be consistent with a broader topic of how to
vent/evaluate 3rd party components/plugins on a project level.
Thanks Tingyu!
Tingyu -

Just a heads-up re: another bug I just opened this morning concerning
our Root CA cert configuration:

https://github.com/edgexfoundry/edgex-go/issues/2495

Perhaps we can put this on tomorrow's agenda?

Regards,
/tony





/tony



Thanks,
Tingyu



________________________________________
From: EdgeX-TSC-Security@...
<EdgeX-TSC-Security@...> on behalf of espy
<espy@...>
Sent: Tuesday, April 14, 2020 10:04 AM
To: edgex-tsc-security@...
Subject: [Edgex-tsc-security] Question about gokey password generation?

[EXTERNAL EMAIL]

While testing recent changes to the snap packaging over the past week
I've been doing quite a bit of log inspection.

One thing that recently caught my eye was the following WARNING logged
by security-secretstore-setup:

level=WARN ts=2020-04-14T00:21:45.156090587Z
app=edgex-security-secretstore-setup source=init.go:256 msg="WARNING:
The gokey generator is a reference implementation for credential
generation and the underlying libraries not been reviewed for
cryptographic security. The user is encouraged to perform their own
security investigation before deployment."

Have we actually performed a review of the underlying libraries and
approved their usage? If so, perhaps we should suppress this log message
so as not to raise concern by end-users?

Regards,
/tony




Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.