| 25 Oct 2021 |
 David Arnold (blaggacao) | * With some evolution on the application side (or a `SIGHUP`ing Smart Wrapper), we can solve those problemas at the root. | 18:28:09 |
| David Arnold (blaggacao) | So: let's assert identity based on something (observable) that you are rather on what you know. | 18:29:15 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ an identity assertion problem. | 18:29:38 |
 @timdeh:matrix.org | https://github.com/mishajw/kipa? | 18:30:13 |
| David Arnold (blaggacao) | Like a kernel-based hash of the app binary. | 18:30:17 |
| David Arnold (blaggacao) | * Like a kernel-provided hash of the app binary. | 18:30:44 |
| David Arnold (blaggacao) | Or a combination of a bin-hash, a user / group. | 18:31:14 |
| David Arnold (blaggacao) | * Or a combination of a bin-hash, a user / group that the kernel reports about the execution environment of a process. I.e. tale-telling process stats. | 18:31:48 |
| David Arnold (blaggacao) | I mean, the subject of identity are, in reality, processes, not hosts. | 18:32:38 |
| @timdeh:matrix.org | but how do we use that exactly? | 18:34:15 |
| David Arnold (blaggacao) | An attestor can map those fingerprints to an identity certificate. | 18:34:43 |
| David Arnold (blaggacao) | * An attestor (vault, spiffe, step-ca) can (securely) map those fingerprints to an identity certificate. | 18:35:22 |
| David Arnold (blaggacao) | (short-lived identity certificate ~5mins) | 18:35:48 |
| David Arnold (blaggacao) | The good thing about X509, you can arrange for things to have tls and AuthC in one single artifact. | 18:36:56 |
| David Arnold (blaggacao) | For example when using postgres | 18:37:04 |
| David Arnold (blaggacao) | Hence my pledge for the SVID spec. | 18:37:37 |
| David Arnold (blaggacao) | There are X509-SVID & JWT-SVID. | 18:37:58 |
| David Arnold (blaggacao) | The one major blocker is actually that openssh last time I checked did not support atomic hot-reloading of cert context. In fact no hot-reloading, at all | 18:39:33 |
| David Arnold (blaggacao) | openssh-dev being used quasi-ubiquitously. | 18:40:00 |
| David Arnold (blaggacao) | So short lived identities have generally poor aplication support. | 18:40:28 |
| David Arnold (blaggacao) | * So short lived identities have generally poor application support. | 18:41:56 |
| @timdeh:matrix.org | how does this play into nix though? | 18:42:30 |
| David Arnold (blaggacao) | Current solution: SIGHUP as it seems and accept the downtime. | 18:42:38 |
| @timdeh:matrix.org | or rather, how would it interface with nix? | 18:42:48 |
| David Arnold (blaggacao) | In reply to @timdeh:matrix.org
how does this play into nix though? We don't have to care about secrets at all. | 18:42:54 |
| David Arnold (blaggacao) | Since nix probably never is going to be a long-running attestor. | 18:43:20 |
| David Arnold (blaggacao) | * We don't have to care about secrets at all (in theory). | 18:43:38 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime fingerprints. | 18:44:16 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime workload identity fingerprints. | 18:44:38 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime workload identity fingerprints against an identity registry. | 18:44:56 |
