Comments (8)
How would the x509 SVIDs work here? I get the concern with replay attacks, but I think that's partially mitigated by using a custom audience field and the short expiration time.
from fulcio.
See here for the audience field: https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#32-audience
from fulcio.
Audience would work but only if you get a fulcio-specific token which I think is not how SPIFFE works. I think it issues SVID documents (JWT/X509) periodically to the workload/VM/... but not on demand scoped to some specific use case. So, you get a SVID that's scoped to all the systems you need to access. Please correct me if that's wrong, I'm not fully sure.
X509 SVIDs act as mutual TLS auth certs where the fulcio service would look at the cert instead of a token. Since you can't re-use a TLS session against another service it's safer than a token.
from fulcio.
Audience would work but only if you get a fulcio-specific token which I think is not how SPIFFE works. I think it issues SVID documents (JWT/X509) periodically to the workload/VM/... but not on demand scoped to some specific use case
I don't think that's correct. See here for how to pass in an audience to the workloadAPI FetchJWTSVID call:
https://pkg.go.dev/github.com/spiffe/go-spiffe/v2/workloadapi#FetchJWTSVID
from fulcio.
You're right, makes sense. In that case it's "just" the replayability. If fulcio accepts TLS connections directly (not via an L7 load balancer) then it shouldn't be too hard to switch to X509 SVIDs.
from fulcio.
We currently terminate ssl at the load balancer level.
What's the exact threat model? The requests are over TLS so I'm not sure I understand the MITM concern for stealing a SVID.
We could always work around replay concerns some other way with an in memory cache or a 1-1 relationship between SVIDs and issued certificates.
from fulcio.
The attack could be done by someone with access to the platforms where the load balancer or Fulcio is running. So either an inside attack or an outside hack. But given that monitors/auditors currently can't validate Fulcio's honest operation (Fulcio has to be trusted to only issue certs if an authentication took place, see also #80), fixing this particular replay problem wouldn't help much anyway. I'm happy to close this particular SPIFFE issue as solving it doesn't improve general security by much I think.
from fulcio.
Thanks - I think you're correct overall, and this is eventually the role of the CT log Fulcio issues certs to. All Fulcio behavior should be auditable using these logs, so any misbehavior could be detected.
Combined with the Rekor log, you can actually trace any Fulcio misbehavior all the way from a mis-issued certificate to the artifacts that were signed, allowing for very fine-grained revocation.
from fulcio.
Related Issues (20)
- There is a typo
- Proposal: Integrate with attestation for hardware-backed keys HOT 7
- Allow for a configurable Gitlab url HOT 2
- ACME protocol for certificate issuance
- Add Shutdown behavior
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
- TLS verification on OIDC Issuers
- How can I get the CT log? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.