Conversation
Morten Linderud
Foxboron@chaos.social
(Ab)using sigstore, TPMs and SSH CA signing into something that probably works?
2
0
0
There is a lot of material so I'll just do the quick version.
sigstore is 3 things (depending on how you count).
1. A Transparency Log for software artifacts (sigstore)
2. An Identity Portal
3. A keyless service built on top of the identity portal that issues short lived keys. (fulcio)
2 and 3 is appended to their own Transparency Log.
I'm curently (ab)using the identity portal.
1
0
0
Jarkko Sakkinen
jarkko
@Foxboron And it is a service not a client application?
One application for that could be confidential computing hub. In Erax we piggybacked CPU attestations from both Intel and AMD CPU's to x.509 certificates.
Obviously if a confidential enclave (TEE payload) gets new pages from the host (that it most schemes ack's, dynamic allocation in CoC is a protocol between guest and host), its old attestation invalidates. Thus these x.509 certificates are sent to a node, which goes to Intel/AMD CA and verifies the quotes against them.
Just reflecting with a familiar application for attestation :-)
So in this case would those certificates put into transperncy log or identity portal?
One application for that could be confidential computing hub. In Erax we piggybacked CPU attestations from both Intel and AMD CPU's to x.509 certificates.
Obviously if a confidential enclave (TEE payload) gets new pages from the host (that it most schemes ack's, dynamic allocation in CoC is a protocol between guest and host), its old attestation invalidates. Thus these x.509 certificates are sent to a node, which goes to Intel/AMD CA and verifies the quotes against them.
Just reflecting with a familiar application for attestation :-)
So in this case would those certificates put into transperncy log or identity portal?
0
0
0
