Evan Gilman

> The initial registration of a TPM's public key must be an out-of-band action that cannot be automatically done from the machine itself. That is, when a new machine is...

Had a conversation today with @Pwpon500 on this topic. The current thinking is that the server side node attestor plugin will be configured with the CA certificates needed for validating...

> As far as SPIFFE ID goes, I'm hesitant supporting something like manufacturer or serial number unless there's a way to consistently get that information out of the TPM. I...

Hey folks - I've been talking to @colek42 recently about reviving this effort to upstream the TPM plugin. He has been using it now for quite some time, and his...

@colek42 can you help us understand a little more about the following part? > Currently, I think they are using a file-based mechanism wherein the plugin watches the filesystem for...

Thank you for opening this @zecke! I wonder what other interesting selectors we could get from systemd... I noticed that this implementation uses dbus to communicate with systemd. Can you...

Thank you for the detailed reply @zecke > On a well configured system ... > On a system configured to run systemd as /sbin/init it is unlikely that a non-privileged...

Sorry, I missed one! > Do we have an example how we treat the kubelet for k8s? By default, the k8s workload attestor validates the kubelet's TLS server certificate

Thank you for digging into this @srwaggon and @adobley! @zecke are you still up for sending this contribution? We'd be very happy to have it.

We now have the `Notifier` plugin which has a feature `NotifyAndAdvise`. This allows the plugin to advise SPIRE core on whether or not a particular event should succeed or not....