| 25 Oct 2021 |
 David Arnold (blaggacao) | * An attestor (vault, spiffe, step-ca) can (securely) map those fingerprints to an identity certificate. | 18:35:22 |
| David Arnold (blaggacao) | (short-lived identity certificate ~5mins) | 18:35:48 |
| David Arnold (blaggacao) | The good thing about X509, you can arrange for things to have tls and AuthC in one single artifact. | 18:36:56 |
| David Arnold (blaggacao) | For example when using postgres | 18:37:04 |
| David Arnold (blaggacao) | Hence my pledge for the SVID spec. | 18:37:37 |
| David Arnold (blaggacao) | There are X509-SVID & JWT-SVID. | 18:37:58 |
| David Arnold (blaggacao) | The one major blocker is actually that openssh last time I checked did not support atomic hot-reloading of cert context. In fact no hot-reloading, at all | 18:39:33 |
| David Arnold (blaggacao) | openssh-dev being used quasi-ubiquitously. | 18:40:00 |
| David Arnold (blaggacao) | So short lived identities have generally poor aplication support. | 18:40:28 |
| David Arnold (blaggacao) | * So short lived identities have generally poor application support. | 18:41:56 |
 @timdeh:matrix.org | how does this play into nix though? | 18:42:30 |
| David Arnold (blaggacao) | Current solution: SIGHUP as it seems and accept the downtime. | 18:42:38 |
| @timdeh:matrix.org | or rather, how would it interface with nix? | 18:42:48 |
| David Arnold (blaggacao) | In reply to @timdeh:matrix.org
how does this play into nix though? We don't have to care about secrets at all. | 18:42:54 |
| David Arnold (blaggacao) | Since nix probably never is going to be a long-running attestor. | 18:43:20 |
| David Arnold (blaggacao) | * We don't have to care about secrets at all (in theory). | 18:43:38 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime fingerprints. | 18:44:16 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime workload identity fingerprints. | 18:44:38 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime workload identity fingerprints against an identity registry. | 18:44:56 |
| David Arnold (blaggacao) | * Since `nix` probably never is going to be a long-running, stateful attestor that processes runtime workload identity fingerprints against an identity directory. | 18:45:11 |
| David Arnold (blaggacao) | We can manage the identity directory with nix-json, though | 18:46:18 |
| David Arnold (blaggacao) | * We can manage the identity directory gitopsy with `nix-json`, though | 18:46:28 |
| David Arnold (blaggacao) | Maybe ensure that the attetor and nix use interoperavle bin-hashing mechanisms. | 18:47:09 |
| David Arnold (blaggacao) | * Maybe ensure that the attestor and `nix` use interoperable bin-hashing mechanisms. | 18:47:20 |
| David Arnold (blaggacao) | * Maybe ensure that the workload attestor and `nix` use interoperable bin-hashing mechanisms. | 18:47:49 |
| David Arnold (blaggacao) | * Maybe ensure that the workload attestor and `nix` use interoperable bin-hashing mechanisms so it's easier to upadte that witness automatically during build. | 18:48:47 |
| David Arnold (blaggacao) | * Maybe ensure that the workload attestor and `nix` use interoperable bin-hashing mechanisms so it's easier to update that particular datapoint witness automatically during build. | 18:49:18 |
| David Arnold (blaggacao) | Well, I'd at least conclude: we should not investigate the secrets-management category further for nix, since "secrets-management" is a fundamentally outdated answer to the identity problem. | 18:51:59 |
| David Arnold (blaggacao) | Everything else are just work-arounds. | 18:52:08 |
| @timdeh:matrix.org | even if that's true, there are legacy reasons to improve the "secrets management" usecase | 18:52:45 |
