dlorenc

cc @developer-guy any other thoughts here?

Could you explain the use case a bit more? I'm not sure I fully understand it, but it sounds like something we'd like to support.

Ah I see. cc @bobcallaway. I think we do actually support this flow because Fulcio uses a hosted Dex instance for the actual token exchanges. We'd be able to configure...

Do you need any help on this one?

I think this is basically the role of the transparency log and monitors. I'm not sure we can do much else but I'd love to hear ideas.

> EDIT: A simpler alternative would be if monitors kept refreshing the JWKS document from all OpenID providers themselves. The ID token would still have to be stored in fulcio,...

cc @raesene as discussed in Slack. We should figure out how to get the OIDC provider name into the cert somewhere asap. There's gotta be some OID that makes sense...

Some things I want to figure out first: ## How should this be configured? Opt in vs. opt out? Proposal: Upload send by default for public images (where we can...

I think we're close here with offline bundling. We'll still want to be careful about adding entries to the log, but verification can happen if there's a bundle, whether or...

> * Splitting the cosigned webhook into a separate Go module from the `cosign` CLI, possibly even moving it to a separate repo I don't think this will really help,...