| 25 Oct 2021 |
 David Arnold (blaggacao) | * X509 is very simple, and interoperable with tls. | 18:22:17 |
| David Arnold (blaggacao) | Sure you can have TLS and something else. But that looks like more complexity still due to an additional component. | 18:22:47 |
| David Arnold (blaggacao) | Ok, I'd agree that TLS is complex. 😎😆 | 18:23:17 |
| David Arnold (blaggacao) | But what is security at rest without security in motion? | 18:23:33 |
 tomberek | (going slightly off-topic): i'm sad that client x509 certs never got better UI support in browsers/ecosystem | 18:24:24 |
| tomberek | we now have FIDO2/U2F instead | 18:25:10 |
| David Arnold (blaggacao) | & Webauthn | 18:25:43 |
| David Arnold (blaggacao) | * & `webauthn` | 18:26:00 |
| David Arnold (blaggacao) | And JWTs 😕 | 18:26:10 |
| David Arnold (blaggacao) | Circling back to secrets management.
Avery secrets management problem is in reality also an identity assertion problem. | 18:27:09 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ also an identity assertion problem. | 18:27:18 |
| David Arnold (blaggacao) | With some evolution on the application side (or a Smart wrapper), we can solve those problemas at the root. | 18:27:52 |
| David Arnold (blaggacao) | * With some evolution on the application side (or a `SIGHUP`ing Smart Wrapper), we can solve those problemas at the root. | 18:28:09 |
| David Arnold (blaggacao) | So: let's assert identity based on something (observable) that you are rather on what you know. | 18:29:15 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ an identity assertion problem. | 18:29:38 |
 @timdeh:matrix.org | https://github.com/mishajw/kipa? | 18:30:13 |
| David Arnold (blaggacao) | Like a kernel-based hash of the app binary. | 18:30:17 |
| David Arnold (blaggacao) | * Like a kernel-provided hash of the app binary. | 18:30:44 |
| David Arnold (blaggacao) | Or a combination of a bin-hash, a user / group. | 18:31:14 |
| David Arnold (blaggacao) | * Or a combination of a bin-hash, a user / group that the kernel reports about the execution environment of a process. I.e. tale-telling process stats. | 18:31:48 |
| David Arnold (blaggacao) | I mean, the subject of identity are, in reality, processes, not hosts. | 18:32:38 |
| @timdeh:matrix.org | but how do we use that exactly? | 18:34:15 |
| David Arnold (blaggacao) | An attestor can map those fingerprints to an identity certificate. | 18:34:43 |
| David Arnold (blaggacao) | * An attestor (vault, spiffe, step-ca) can (securely) map those fingerprints to an identity certificate. | 18:35:22 |
| David Arnold (blaggacao) | (short-lived identity certificate ~5mins) | 18:35:48 |
| David Arnold (blaggacao) | The good thing about X509, you can arrange for things to have tls and AuthC in one single artifact. | 18:36:56 |
| David Arnold (blaggacao) | For example when using postgres | 18:37:04 |
| David Arnold (blaggacao) | Hence my pledge for the SVID spec. | 18:37:37 |
| David Arnold (blaggacao) | There are X509-SVID & JWT-SVID. | 18:37:58 |
| David Arnold (blaggacao) | The one major blocker is actually that openssh last time I checked did not support atomic hot-reloading of cert context. In fact no hot-reloading, at all | 18:39:33 |
