| 25 Oct 2021 |
 tomberek | you can use exec to decrypt something for you at eval-time, but it would often leak into the /nix/store. You'd need a build-time exec. | 18:14:45 |
 David Arnold (blaggacao) | Good resume; | 18:15:07 |
 @timdeh:matrix.org | * we use a vault-plugin for our tfstate atm | 18:15:08 |
| David Arnold (blaggacao) | * Good resume! | 18:15:13 |
| David Arnold (blaggacao) | To de-throne the sheesy magic addition to manage configs, build time exec might be what's needed, though. | 18:15:50 |
| @timdeh:matrix.org | That opens up a pretty huge can of impure worms though | 18:16:14 |
| David Arnold (blaggacao) | For all that involves nixos or derivations, that would be very much self inflicting harm. | 18:16:38 |
| David Arnold (blaggacao) | Yeah, sheesy's serverless approach to rotation is a bit of a pain, too. | 18:17:49 |
| tomberek | The idea is that decryption is either success or failure, so it's not impure, but either pure or impossible. | 18:17:53 |
| David Arnold (blaggacao) | If we need identity, let's just use an attestor (such as vault or spiffe or step-ca). | 18:18:22 |
| @timdeh:matrix.org | which reminds me, I also found this yesterday:
https://openpgp-ca.org/ | 18:18:44 |
| David Arnold (blaggacao) | If we just need to assert identity, a SViD based aproach might be a bit more inferoperable. | 18:19:41 |
| David Arnold (blaggacao) | SVID = Certificate of Identity (X509) + spiffe ID | 18:20:05 |
| David Arnold (blaggacao) | SpiffeID: spiffe://com.mydomain/me/and/my/dog | 18:20:41 |
| tomberek | SPIFFE is good, but like anything x509, complex. | 18:21:02 |
| David Arnold (blaggacao) | All that credentials actually do is to establish identity (in a very old-fashoined way) | 18:21:35 |
| @timdeh:matrix.org | yeah I was about to say, x509 might be the only format even more frustrating to use than gnupg 😅 | 18:21:36 |
| David Arnold (blaggacao) | X509 is very simple, and interpoerable with tls. | 18:22:10 |
| David Arnold (blaggacao) | * X509 is very simple, and interoperable with tls. | 18:22:17 |
| David Arnold (blaggacao) | Sure you can have TLS and something else. But that looks like more complexity still due to an additional component. | 18:22:47 |
| David Arnold (blaggacao) | Ok, I'd agree that TLS is complex. 😎😆 | 18:23:17 |
| David Arnold (blaggacao) | But what is security at rest without security in motion? | 18:23:33 |
| tomberek | (going slightly off-topic): i'm sad that client x509 certs never got better UI support in browsers/ecosystem | 18:24:24 |
| tomberek | we now have FIDO2/U2F instead | 18:25:10 |
| David Arnold (blaggacao) | & Webauthn | 18:25:43 |
| David Arnold (blaggacao) | * & `webauthn` | 18:26:00 |
| David Arnold (blaggacao) | And JWTs 😕 | 18:26:10 |
| David Arnold (blaggacao) | Circling back to secrets management.
Avery secrets management problem is in reality also an identity assertion problem. | 18:27:09 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ also an identity assertion problem. | 18:27:18 |
| David Arnold (blaggacao) | With some evolution on the application side (or a Smart wrapper), we can solve those problemas at the root. | 18:27:52 |
