| 25 Oct 2021 |
 David Arnold (blaggacao) | SVID = Certificate of Identity (X509) + spiffe ID | 18:20:05 |
| David Arnold (blaggacao) | SpiffeID: spiffe://com.mydomain/me/and/my/dog | 18:20:41 |
 tomberek | SPIFFE is good, but like anything x509, complex. | 18:21:02 |
| David Arnold (blaggacao) | All that credentials actually do is to establish identity (in a very old-fashoined way) | 18:21:35 |
 @timdeh:matrix.org | yeah I was about to say, x509 might be the only format even more frustrating to use than gnupg 😅 | 18:21:36 |
| David Arnold (blaggacao) | X509 is very simple, and interpoerable with tls. | 18:22:10 |
| David Arnold (blaggacao) | * X509 is very simple, and interoperable with tls. | 18:22:17 |
| David Arnold (blaggacao) | Sure you can have TLS and something else. But that looks like more complexity still due to an additional component. | 18:22:47 |
| David Arnold (blaggacao) | Ok, I'd agree that TLS is complex. 😎😆 | 18:23:17 |
| David Arnold (blaggacao) | But what is security at rest without security in motion? | 18:23:33 |
| tomberek | (going slightly off-topic): i'm sad that client x509 certs never got better UI support in browsers/ecosystem | 18:24:24 |
| tomberek | we now have FIDO2/U2F instead | 18:25:10 |
| David Arnold (blaggacao) | & Webauthn | 18:25:43 |
| David Arnold (blaggacao) | * & `webauthn` | 18:26:00 |
| David Arnold (blaggacao) | And JWTs 😕 | 18:26:10 |
| David Arnold (blaggacao) | Circling back to secrets management.
Avery secrets management problem is in reality also an identity assertion problem. | 18:27:09 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ also an identity assertion problem. | 18:27:18 |
| David Arnold (blaggacao) | With some evolution on the application side (or a Smart wrapper), we can solve those problemas at the root. | 18:27:52 |
| David Arnold (blaggacao) | * With some evolution on the application side (or a `SIGHUP`ing Smart Wrapper), we can solve those problemas at the root. | 18:28:09 |
| David Arnold (blaggacao) | So: let's assert identity based on something (observable) that you are rather on what you know. | 18:29:15 |
| David Arnold (blaggacao) | * Circling back to secrets management.
Every secrets management problem is in _reality_ an identity assertion problem. | 18:29:38 |
| @timdeh:matrix.org | https://github.com/mishajw/kipa? | 18:30:13 |
| David Arnold (blaggacao) | Like a kernel-based hash of the app binary. | 18:30:17 |
| David Arnold (blaggacao) | * Like a kernel-provided hash of the app binary. | 18:30:44 |
| David Arnold (blaggacao) | Or a combination of a bin-hash, a user / group. | 18:31:14 |
| David Arnold (blaggacao) | * Or a combination of a bin-hash, a user / group that the kernel reports about the execution environment of a process. I.e. tale-telling process stats. | 18:31:48 |
| David Arnold (blaggacao) | I mean, the subject of identity are, in reality, processes, not hosts. | 18:32:38 |
| @timdeh:matrix.org | but how do we use that exactly? | 18:34:15 |
| David Arnold (blaggacao) | An attestor can map those fingerprints to an identity certificate. | 18:34:43 |
| David Arnold (blaggacao) | * An attestor (vault, spiffe, step-ca) can (securely) map those fingerprints to an identity certificate. | 18:35:22 |
