Comments (3)
As a follow-on to the above: one of the proposed solutions here was to relax Sigstore/Fulcio's current "one-SAN" rule, and allow multiple SANs: zero or more per email associated with the account, plus an OtherName
SAN for the username.
This would (in theory) be backwards compatible with existing clients, but might also cause breakage (since clients may currently assume only a single SAN) and introduces some ambiguity (it's unclear which among the SANs is "preferred," or whether they're all equally valid, as well as whether they all refer to the same logical entity.)
I think my personal preference here would be to preserve the "one-SAN" rule, and improve the OAuth/Dex flow page to emphasize the different kind of identity being obtained (e.g. have different sections for email vs. user identities). I'm not sure how hard that would be to do on the Dex side, through (is it possible to have the same IdP registered multiple times, but with different configurations for the resulting ID?)
from fulcio.
@wlynch suggested another format which would be using GHs noreply format used for private emails, [email protected]
. This might be the best of both worlds - We get username, we get userid for immutability, the format is an email so no clients would need to be updated.
We'd need to patch our instance of Dex to include dexidp/dex#2618, and would likely still need to configure Dex to add both username and user ID.
from fulcio.
That solution is nice, although perhaps it should be all or nothing: having it be the user's primary email in some cases rather than the noreply
email means that we lose the consistency of having a GitHub "username" identity that we can mangle out of the email identity.
Perhaps it's too much work, but IMO the ideal solution here is:
- Adopt dexidp/dex#2618 for the current GitHub IdP connector, plugging the privacy concern noted above;
- Add another GitHub IdP connector that supports username identities. Visually separate this one in the OAuth flow to help users avoid confusing the two.
OTOH, having two separate GitHub IdP connectors might cause a lot of user confusion, even if visually separated.
from fulcio.
Related Issues (20)
- There is a typo
- Proposal: Integrate with attestation for hardware-backed keys HOT 7
- Allow for a configurable Gitlab url HOT 2
- ACME protocol for certificate issuance
- Add Shutdown behavior
- Do not block startup on OIDC providers being offline
- How does cosign verify use the privatized fulcio deployment? HOT 1
- add info into readme about local doc
- Allow configurable client signing algorithms HOT 11
- Issue while running sigstore locally HOT 3
- Fulcio doesn't pass http customization to go-oidc
- Request For Comment: Removing support for detached SCTs HOT 5
- Add support for release attestations HOT 3
- Dockerfiles use amd64-specific images HOT 1
- Make pkg/certificate/parseExtentions function public
- Codefresh OIDC provider support HOT 3
- [Windows] ctfe_init container "/bin/sh: 1: /root/logid.sh: not found" HOT 2
- Cosign failed to sing the image HOT 1
- TLS verification on OIDC Issuers
- How can I get the CT log? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fulcio.