[{"author": "Zachary Newman", "text": "

hi!

", "time": "2023-01-23T16:00:32Z"}, {"author": "Joshua Lock", "text": "

:wave:

", "time": "2023-01-23T16:01:04Z"}, {"author": "Yogesh Deshpande", "text": "

Hello Everyone

", "time": "2023-01-23T16:01:30Z"}, {"author": "Dick Brooks", "text": "

Hello

", "time": "2023-01-23T16:01:46Z"}, {"author": "Yogesh Deshpande", "text": "

Good Morning to folks in USA and Good Afternoon for folks in UK

", "time": "2023-01-23T16:01:52Z"}, {"author": "Zachary Newman", "text": "

(that's this meeting)

", "time": "2023-01-23T16:03:22Z"}, {"author": "Olle Johansson", "text": "

Afternoon from Sweden :-)

", "time": "2023-01-23T16:03:40Z"}, {"author": "Cedric Fournet", "text": "

Pls switch to the other meeting

", "time": "2023-01-23T16:04:23Z"}, {"author": "Cedric Fournet", "text": "

https://meetings.conf.meetecho.com/interim/?short=e82e0525-bb13-44c1-b18d-8bd7595b8ecc

", "time": "2023-01-23T16:04:34Z"}, {"author": "Tracy Miranda", "text": "

hello

", "time": "2023-01-23T16:06:08Z"}, {"author": "Yogesh Deshpande", "text": "

Hello Tracy

", "time": "2023-01-23T16:06:22Z"}, {"author": "Yogesh Deshpande", "text": "

PLease switch to meeting above

", "time": "2023-01-23T16:06:29Z"}, {"author": "Zachary Newman", "text": "

https://docs.google.com/presentation/d/1h88-zgs7OvwBnJpijN4jYa7-eyPKumAIif1L51azNIM/edit#slide=id.p

", "time": "2023-01-23T16:06:38Z"}, {"author": "Kay Williams", "text": "

A hearty welcome to all from the sigstore community!

", "time": "2023-01-23T16:08:08Z"}, {"author": "Tracy Miranda", "text": "

I can see slides

", "time": "2023-01-23T16:16:11Z"}, {"author": "Michael Prorock", "text": "

it is coming through

", "time": "2023-01-23T16:16:13Z"}, {"author": "Christopher Wood", "text": "

Sharing is working for me

", "time": "2023-01-23T16:16:13Z"}, {"author": "Dick Brooks", "text": "

yes

", "time": "2023-01-23T16:16:13Z"}, {"author": "Isaac Hepworth", "text": "

i can see it

", "time": "2023-01-23T16:16:16Z"}, {"author": "Charles Hart", "text": "

OK screen share is visible - sorry for the interruption

", "time": "2023-01-23T16:17:57Z"}, {"author": "Tracy Miranda", "text": "

:thumbsup:

", "time": "2023-01-23T16:18:41Z"}, {"author": "Dick Brooks", "text": "

Looks like social media, i.e., Facebook, is used for \"Registration Authority\" vetting functions - correct?

", "time": "2023-01-23T16:19:33Z"}, {"author": "benny Vasquez", "text": "

not only social media, no. I've seen examples with GitHub, too, so there are others.

", "time": "2023-01-23T16:22:20Z"}, {"author": "Dick Brooks", "text": "

Thanks benny

", "time": "2023-01-23T16:22:39Z"}, {"author": "Isaac Hepworth", "text": "

in general, it used OIDC https://docs.sigstore.dev/fulcio/oidc-in-fulcio/

", "time": "2023-01-23T16:22:51Z"}, {"author": "Joshua Lock", "text": "

in fact, social media services are not supported in the public good instance. They are just a good example of OIDC use

", "time": "2023-01-23T16:22:52Z"}, {"author": "Joshua Lock", "text": "

thanks Isaac

", "time": "2023-01-23T16:22:59Z"}, {"author": "Dick Brooks", "text": "

Thanks, Joshua and Isaac

", "time": "2023-01-23T16:23:33Z"}, {"author": "Carl Wallace", "text": "

If/when you kick questions to the ACME client draft, include a reference to the attestations draft so that concept gets folded in

", "time": "2023-01-23T16:24:49Z"}, {"author": "Dick Brooks", "text": "

Thanks Zach.

", "time": "2023-01-23T16:25:29Z"}, {"author": "Dick Brooks", "text": "

I can use my google account - correct?

", "time": "2023-01-23T16:25:54Z"}, {"author": "Joshua Lock", "text": "

that is correct

", "time": "2023-01-23T16:26:04Z"}, {"author": "Dick Brooks", "text": "

thanks, Joshua - that makes it easy for me

", "time": "2023-01-23T16:26:23Z"}, {"author": "Olle Johansson", "text": "

THere may be privacy issues with using email adresses like EU GDPR and the right to be forgotten.

", "time": "2023-01-23T16:27:10Z"}, {"author": "Orie Steele", "text": "

do they go into the tree?

", "time": "2023-01-23T16:27:49Z"}, {"author": "Olle Johansson", "text": "

They're in the certificate as far as I know

", "time": "2023-01-23T16:28:08Z"}, {"author": "Olle Johansson", "text": "

Which goes into the CT logs

", "time": "2023-01-23T16:28:15Z"}, {"author": "Orie Steele", "text": "

There is a similar challenge in QLDB, regarding redaction in verifiable data strucutres.

", "time": "2023-01-23T16:28:25Z"}, {"author": "Dick Brooks", "text": "

The cert doesn't go away - it can be used to verify a signature, but the \"authorized signing period\" is expressed in the expiration date, in this case it looks like a 10 minute lieftime

", "time": "2023-01-23T16:28:36Z"}, {"author": "Olle Johansson", "text": "

The question is not \"is the cert valid now\" like for TLS, but \"was the cert valid at time of signing\" - which means that the timestamp is important.

", "time": "2023-01-23T16:29:14Z"}, {"author": "Dick Brooks", "text": "

How are signed artifacts identified in sigstore?

", "time": "2023-01-23T16:31:44Z"}, {"author": "Orie Steele", "text": "

Proof of control, not proof of identity.

", "time": "2023-01-23T16:33:28Z"}, {"author": "Michael Prorock", "text": "

+1 orie

", "time": "2023-01-23T16:34:58Z"}, {"author": "Dick Brooks", "text": "

Identity vetting by a Registration Authority is an absolute requirement within the Energy industry (i.e. NAESB WEQ-012 PKI standard)

", "time": "2023-01-23T16:35:33Z"}, {"author": "Dick Brooks", "text": "

http://oid-info.com/get/2.16.840.1.114505.1.12.1.2

", "time": "2023-01-23T16:38:09Z"}, {"author": "Olle Johansson", "text": "

There are users of Sigstore software that connects to internal PKIs. There is a pull request to Cosign for that. With that you can use your own PKI - with identity vetting. Sigstore's public service does not do this.

", "time": "2023-01-23T16:39:30Z"}, {"author": "Raymond Lutz", "text": "

Okay, Olle, that would pretty important bc it seems sigstore is very minimal additional security.

", "time": "2023-01-23T16:40:24Z"}, {"author": "Hannes Tschofenig", "text": "

You cannot publish identity tokens or access tokens

", "time": "2023-01-23T16:40:34Z"}, {"author": "Olle Johansson", "text": "

You always have to separate the software from the service

", "time": "2023-01-23T16:40:54Z"}, {"author": "Carl Wallace", "text": "

Let's Encrypt was mentioned as an analog. But in that case, proof of control is relevant to how the cert is used. In the Authenticode case just mentioned, how would the proof of control apply?

", "time": "2023-01-23T16:41:03Z"}, {"author": "Olle Johansson", "text": "

Where is that draft? Timestamps for Cose?

", "time": "2023-01-23T16:41:17Z"}, {"author": "Henk Birkholz", "text": "

https://github.com/ietf-rats/draft-birkholz-rats-epoch-marker

", "time": "2023-01-23T16:41:31Z"}, {"author": "Roy Williams", "text": "

Ray, put your hand down.

", "time": "2023-01-23T16:41:33Z"}, {"author": "Dick Brooks", "text": "

Let's Encrypt checks for DNS CAA records before issuing a X.509 cert

", "time": "2023-01-23T16:41:41Z"}, {"author": "Raymond Lutz", "text": "

Thx

", "time": "2023-01-23T16:41:43Z"}, {"author": "Olle Johansson", "text": "

ACME (letsencrypt protocol) has many different ways of proving ownership

", "time": "2023-01-23T16:42:23Z"}, {"author": "Henk Birkholz", "text": "

using https://github.com/cbor-wg/time-tag as part of a few options

", "time": "2023-01-23T16:42:29Z"}, {"author": "Roy Williams", "text": "

Moving from encryption pipe simplicity to signing is a tough bridge to make.

", "time": "2023-01-23T16:42:44Z"}, {"author": "Dick Brooks", "text": "

+1 Roy

", "time": "2023-01-23T16:42:58Z"}, {"author": "Orie Steele", "text": "

anyone who controls an email, can publish as that email.

", "time": "2023-01-23T16:43:17Z"}, {"author": "Orie Steele", "text": "

assuming there are not mandatory MFA enabled....

", "time": "2023-01-23T16:43:32Z"}, {"author": "Olle Johansson", "text": "

Remember that sigstore is part of OpenSSF - the mission is to secure Open Source software. The tools can be used for other things. But signing commits with my Github account is a cool thing.

", "time": "2023-01-23T16:43:42Z"}, {"author": "Carl Wallace", "text": "

Right, signing commits. My question was about code signing.

", "time": "2023-01-23T16:44:07Z"}, {"author": "Henk Birkholz", "text": "

there also is tsa/tst support for cose in the queue : https://www.ietf.org/archive/id/draft-birkholz-cose-tsa-tst-header-parameter-00.html

", "time": "2023-01-23T16:44:21Z"}, {"author": "Olle Johansson", "text": "

In an enterprise environment the Sigstore service is not very helpful. A private installation would help and keep privacy when needed.

", "time": "2023-01-23T16:44:37Z"}, {"author": "Carl Wallace", "text": "

To my eye, part of the problem with code signing is lack of constrain on use of a key. I don't hear any discussion of that.

", "time": "2023-01-23T16:44:58Z"}, {"author": "Steve Lasker", "text": "

These are great points for the notary that was brought up.

\n

https://en.wikipedia.org/wiki/Notary
\nA notary is a [person] authorised to perform acts in legal affairs, in particular witnessing signatures on documents.

\n

Within the registration policy, the identify of the issuer is verified to be real.

", "time": "2023-01-23T16:45:03Z"}, {"author": "Roy Williams", "text": "

The Authenticode case, is predicated on standard CA (for money) certificates. The certificates can be validated for a longer period, but run into all the problems that Zach\\Joshua mentioned. The problem I see ahead of us is identity correlation. A bucket of certificates and associating them based on dn as being == is potentially very weak.

", "time": "2023-01-23T16:45:37Z"}, {"author": "Roy Williams", "text": "

Authenticode is documented https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode

", "time": "2023-01-23T16:45:52Z"}, {"author": "Carl Wallace", "text": "

Identity verification does not limit how the key is used to verify code though. It just shows whose key was stolen. The value of a stolen key would be less if key was less useful in broad sense.

", "time": "2023-01-23T16:46:35Z"}, {"author": "Michael Prorock", "text": "

+1 roy

", "time": "2023-01-23T16:46:36Z"}, {"author": "Olle Johansson", "text": "

We're using the sigstore tool \"cosign\" to sign with our private PKI now - containers, code. That's easy.

", "time": "2023-01-23T16:47:13Z"}, {"author": "Olle Johansson", "text": "

https://docs.sigstore.dev/cosign/overview/

", "time": "2023-01-23T16:47:55Z"}, {"author": "Raymond Lutz", "text": "

If identity were more robustly evaluated (i.e. what notary is supposed to do) then perhaps the Sigstore model is okay. But identity is not ephemeral.

", "time": "2023-01-23T16:48:01Z"}, {"author": "Carl Wallace", "text": "

Thanks. I'll read the sigstore bits to see how one would prevent verification using your key on things you did not originate. Maybe there is a mechanism.

", "time": "2023-01-23T16:49:26Z"}, {"author": "Christopher Wood", "text": "

+1 to layers here

", "time": "2023-01-23T16:50:31Z"}, {"author": "Charles Hart", "text": "

Are we using hands-up queuing?

", "time": "2023-01-23T16:51:57Z"}, {"author": "Raymond Lutz", "text": "

For rapid fire commits this is probably fine. For releases with more substance, then a stronger level of identity is required.

", "time": "2023-01-23T16:52:01Z"}, {"author": "Michael Prorock", "text": "

have to jump for my next meeting - thanks all!

", "time": "2023-01-23T16:53:12Z"}, {"author": "Steve Lasker", "text": "

I'll defer to Charlie...

", "time": "2023-01-23T16:53:40Z"}, {"author": "Olle Johansson", "text": "

I don't agree that CP/CPS is designed only for the Web PKI

", "time": "2023-01-23T16:53:48Z"}, {"author": "Joshua Lock", "text": "

we can definitely take further questions on the list

", "time": "2023-01-23T16:55:56Z"}, {"author": "Joshua Lock", "text": "

(SCITT mailing list, that is)

", "time": "2023-01-23T16:56:03Z"}, {"author": "Carl Wallace", "text": "

The CP/CPS framework is definitely used more broadly than Web PKI

", "time": "2023-01-23T16:56:08Z"}, {"author": "Olle Johansson", "text": "

There's quite a lot of documentation available https://docs.sigstore.dev/rekor/verify-release/

", "time": "2023-01-23T16:57:05Z"}, {"author": "Dick Brooks", "text": "

I agree, Charlie. FULCIO is an issue - needs more vetting

", "time": "2023-01-23T16:58:46Z"}, {"author": "Dick Brooks", "text": "

A real RA function is needed to establish trust in identity

", "time": "2023-01-23T16:59:08Z"}, {"author": "Charles Hart", "text": "

Yes thanks for the great information guys.

", "time": "2023-01-23T16:59:08Z"}, {"author": "Joshua Lock", "text": "

thank you for the time and the questions all

", "time": "2023-01-23T16:59:14Z"}, {"author": "Kathleen Moriarty", "text": "

Thank you for the presentation.

", "time": "2023-01-23T16:59:55Z"}, {"author": "Charles Hart", "text": "

Sorry - old hand up

", "time": "2023-01-23T17:00:38Z"}, {"author": "Raymond Lutz", "text": "

Yes, thanks. I think scitt and sigstore are very compatible...

", "time": "2023-01-23T17:00:43Z"}, {"author": "Steve Lasker", "text": "

Thanks for the presentation...

", "time": "2023-01-23T17:00:51Z"}, {"author": "Charles Hart", "text": "

Bye all!

", "time": "2023-01-23T17:00:51Z"}, {"author": "Olle Johansson", "text": "

Thank you!

", "time": "2023-01-23T17:00:52Z"}, {"author": "Kay Williams", "text": "

Thanks everyone.

", "time": "2023-01-23T17:00:52Z"}]