Re: Question about gokey password generation?


espy
 

On 4/14/20 10:29 AM, Tingyu.Zeng@... wrote:

Tony, 

The link to the issue can be found here:

https://github.com/edgexfoundry/edgex-go/issues/1946

This issue was triaged at the end of last year by the group and it was decided it is no within the scope of Geneva release due to reasons below:

1. The move towards of Redis database and  leaving Mongo
2. Prefer to use built-in Vault as database generator for Redis 

I just discussed this with Andre (CC'd) last night, and it sounds like his initial implementation also uses gokey. ;/

I'll also point out that while working on the snap aspects of issue #1943 (configure password protection for postgres), I discovered we have yet another solution for setting an initial db password. Namely, the compose file checks for the existence of a password env var, and if not found, sets the env var to a fixed string (defined in the compose file).

/tony

3. Such issue needs to be consistent with a broader topic of how to vent/evaluate 3rd party components/plugins on a project level.


Thanks,
Tingyu


 

________________________________________
From: EdgeX-TSC-Security@... <EdgeX-TSC-Security@...> on behalf of espy <espy@...>
Sent: Tuesday, April 14, 2020 10:04 AM
To: edgex-tsc-security@...
Subject: [Edgex-tsc-security] Question about gokey password generation?

[EXTERNAL EMAIL]

While testing recent changes to the snap packaging over the past week
I've been doing quite a bit of log inspection.

One thing that recently caught my eye was the following WARNING logged
by security-secretstore-setup:

level=WARN ts=2020-04-14T00:21:45.156090587Z
app=edgex-security-secretstore-setup source=init.go:256 msg="WARNING:
The gokey generator is a reference implementation for credential
generation and the underlying libraries not been reviewed for
cryptographic security. The user is encouraged to perform their own
security investigation before deployment."

Have we actually performed a review of the underlying libraries and
approved their usage? If so, perhaps we should suppress this log message
so as not to raise concern by end-users?

Regards,
/tony





Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.