Is Dex a distinct issuer? Or just part of Fulcio?

[znewman01]

From conversation on Sigstore clients should require a provided identity:

From a conversation hayden and I had -- so I don't forget about this. Does it makes sense for clients to be able to know that dex was the proxy here? If dex had a CVE may 1st-10th -- we would need to invalidate all github/msft/google certs whether or not they were issued by dex because we don't know if a proxy was involved or not. – @loosebazooka

Great point.

I think there are two ways to think about this:

1. Dex is basically part of Fulcio, so a Dex vuln is equivalent to a Fulcio vuln and we should invalidate them in the same way. Pro: simpler, hide Dex from users

Con: revocation is hard. If we're willing to revoke all Fulcio certs from a window, that's pretty substantial collateral damage. But I don't see an easy way to revoke only the Dex certs.

(Terrible idea: we could have an intermediate cert for each IdP inside of Fulcio?)

2. Dex is a separate IdP provider, and should be treated as such.

Pro: More correct/precise.

Cons: less ergonomic. We'd have to define a "--certificate-issuer" syntax for "MSFT, via Dex"

Also, I don't 100% understand the revocation flow here that lets clients start rejecting certs from specific issuers on specific dates. – @znewman01

My two cents are I'd prefer to not differentiate between Dex and Dex+downstream IDP, recognizing the issue of revocation. I think the verification story is much cleaner if Dex is just an abstraction layer. – @haydentherapper

I'm inclined to agree with Hayden here, but we should make a decision and document it. Additionally, we should make a plan for revocation.