How to enable dynamic (delegation) certificates in CI? #44
marcofranssen
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dropping some thoughts on How we might use Something like SPIFFE/SPIRE or equavalent technology in Notary v2, with Notary v1 /TUF as example as that is what I know.
From a TUF perspective we build a certificate tree like this.
In a CA pipeline we would only require the delegation key and its certificate. See also this code that allows for that by having the notary server manage the timestamp keys as opposed to the client creating those certificates.
In a pipeline I now only require to share the delegation key and it's passphrase.
What if we can further delegate or omit the delegations in this fashion by utilizing SPIFFE/Spire to fetch them on the fly. Considering the short lifetime this will reduce the risk of leaking delegation certificates. It might also simplify the signing workflow and things to manage for an end-user if we provide building blocks in the form of docker containers, or github actions that will perform the retrieval of getting the certificate via SPIFFE/Spire.
Would this be feasible?
Beta Was this translation helpful? Give feedback.
All reactions