dalehamel
commented
9 years ago cc @Sirupsen because he was interested in this
Closed dalehamel closed 4 months ago
dalehamel
commented
9 years ago cc @Sirupsen because he was interested in this
sirupsen
commented
9 years ago Why do you prefer this format over the one I mentioned in #3? Not a fan of the 2-level depth and underscore prefixes.
dalehamel
commented
9 years ago Sorry I haven't reread the PR yet.
In the meantime, could you make a suggestion of what you think it should look like?
On Wednesday, October 15, 2014, Simon Eskildsen notifications@github.com wrote:
Why do you prefer this format over the one I mentioned in #3 https://github.com/Shopify/ejson/pull/3? Not a fan of the 2-level depth and underscore prefixes.
— Reply to this email directly or view it on GitHub https://github.com/Shopify/ejson/issues/9#issuecomment-59285938.
sirupsen
commented
9 years ago {
"aws": {
"value": "dfsjhhgdfshkdfshjkfds",
"description": "This is my secret for xxxx",
"rotate_url": "https://aws.amazon.com",
"rotate_instructions": "To rotate this secret, clone the account <current account name>. Create a new secret."
}
}Was what I proposed in a comment. A compromise between yours and that sounds better to me:
{
"aws": {
"secret": "dfsjhhgdfshkdfshjkfds",
"description": "This is my secret for xxxx",
"type": "AWS|SSH|SSL|PASSWORD|TOKEN|OAUTH|OTHER",
"severity": "LOW|MED|HIGH",
"rotation": "To rotate this secret, clone the account <current account name>. Create a new secret. Then ..",
"urls": ["https://aws.amazon.com"]
}
}Yeah i do like that better.
On Wed, Oct 15, 2014 at 8:57 PM, Simon Eskildsen notifications@github.com wrote:
{ "aws": { "value": "dfsjhhgdfshkdfshjkfds", "description": "This is my secret for xxxx", "rotate_url": "https://aws.amazon.com", "rotate_instructions": "To rotate this secret, clone the account
. Create a new secret." }} Was what I proposed in a comment. A compromise between yours and that sounds better to me:
{ "aws": { "secret": "dfsjhhgdfshkdfshjkfds", "description": "This is my secret for xxxx", "type": "AWS|SSH|SSL|PASSWORD|TOKEN|OAUTH|OTHER", "severity": "LOW|MED|HIGH", "rotation": "To rotate this secret, clone the account
. Create a new secret. Then ..", "urls": ["https://aws.amazon.com"] }} — Reply to this email directly or view it on GitHub https://github.com/Shopify/ejson/issues/9#issuecomment-59299920.
thepwagner
commented
4 months ago Assumption: this is stale and irrelevant to the current project.
Each secret should require the following metadata fields be populated. Secret meta should probably be stored in plain text, as it's not actually secret. We might want to implement this using the comment format described in https://github.com/Shopify/ejson/pull/3
Ejson should refuse to encrypt (or at least bitch heavily) if every secret that it is encrypting does not have the an associated secret meta field with the following attributes:
It probably makes sense to add a yaml file or something similar to the ejson gem to describe what the required fields for the secret meta are, so that this can be overridden, or have the secret meta feature be disabled entirely by 3rd parties not at shopify who want to use ejson without this feature.
Additionally, ejson should maintain a sequential version number on each secret. This will allow us to automatically determine if the credential has been rotated (it should probably also therefor not allow the user to specify this field or override it when encrypting).
I think that the following format makes the most sense:
@burke for thoughts