It sounds neat, but I am uncomfortable with a central CA (Fulcio) and central lo... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

		eadmund 13 days ago \| parent \| context \| favorite \| on: Sigstore: Making sure your software is what it cla... It sounds neat, but I am uncomfortable with a central CA (Fulcio) and central log (Rekor). And I trust OIDC providers about as far as I can throw them. Granted, the whole point of a central audit log is to make misbehaviour apparent, but it still strikes me as the wrong direction. I don’t have a useful proposal for a decentralised version, so I’m just kvetching at this point. Also, neither X.509 nor JSON is great. We can do better. We should do better.

kfreds 13 days ago | [–]

Check out sigsum.org for a simpler design with a stronger threat model.

As for building a decentralized append-only log, that would complicate the design and the threat model quite a bit. In particular it would make proofs of inclusion and consistency much less efficient.

tuananh 13 days ago | [–]

you can deploy your own fulcio & rekor.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact