2020-04-28 Security Subcommittee Meeting Notes
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 28th of April 2020.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
| New Notary v2 project - address container image signing | Tero shared info about this new project. In general it aims at validation of container images. Notary v2 use cases: https://github.com/notaryproject/requirements/blob/master/scenarios.md Industry telcom part is missing as contributor. According to lastest ETSI NFV specs containers could be also signed by the operator. OCI artefacts project aiming for modyfying image registry so that helm charts could be stored. |
|
|
| TSC logging presentation – discussion point | TSC decision is needed, so proposal to be sent to TSC. Comments collection by 29th of April COB. | ||
| Hardcoding certificates in docker images | PKI - public certificate that is signed by the Certificate Authority. AAF contains hardcoded trust store. According to Krzysztof this is a security issue as root CA in ONAP is already compromised. By default none of the ONAP images should trust that CA. Only If user is deploying ONAP for testing, in lab environemnt, it is fine to use that. A lot of components use AAF hardcoded certificate. Trust store that is in the AAF agent image should be removed from that image and placed in the OOM as a resource and delivered in the image at the deployment time. |
|
We need to have an agreement from projects. This proposal to be presented at the PTLs call. |
| vF2F summary | We discussed about removing passwords in Guilin release, On eof the issues is removing hardcoded certificates and obviously passwords to unclock those certificates. We decied continue using AAF as an official way of retrieveing certificates. but we strongly recommen using of common template intead of doing helm chart on your own so that is it much easier to switch taht in the future, if we decide to do so. Good perception of package upgrade strategy. Jira tickets under creation. CMPv2: several mechanisms to retrieve certificats (one internal and one external). Planning to integrated CMPv2 with DCAE. CErtificate update use case will be added. Enhancements to the Client like configurable format of the output artefacts: P12 and time format support. SDNC update for 3 patches merge on CMPv2. CNTT allignment meeting. CIS benchmark test shared.
|
|
Jira tickets under creation.
Adam to help Gerard. |
| Synch meeting with Requirements Subcommittee | Synch meeting with Requirements Subcommittee – we missed the one on 27th of April to present SECCOM requirements for Guilin release – next meeting is sccheduled on May 11th. CMPv2 requirements will be presented by Pawel on to the Requirements Subcommittee. |
|
|
| CII Badging requirement | Jira tickets to be created info to be shared with Krzysztof.
|
|
|
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 5th OF MAY'20. |
|
|
|