Luke Hinds
Luke Hinds
> Hey @lukehinds, may I ask you about an update on this? https://github.com/kubernetes/security/pull/129/
I would certainly be interested in looking at the TPM part (I just need to get my head around the mapping from an abstracted container layer to the hosts hardware...
Sounds like an interesting proposal. Would the entry be signed? Rekor likes a pub key, sig so it gets non repudiation around whomever makes the entry?
I am happy to park 1.0 for this , but first does anyone plan to work on this and what would be the ETA?
I agree and let's to do this later. A big refactor right before a major release is inviting problems, so you're wise to call this.
Yup, the transparency logs tell us that fulcio entered X email into a cert at specific time, but we still have no guarantees that the user granted fulcio access to...
> The only thing I can come up with is to store the entire signed ID token as an X509 extension in the signing certificate. This would allow an auditor...
Just looping back on this issue as cosigned is now going to move into its own repo and we have the following issues which @lkatalin has expressed an interest in...