Design: Allow (permanent?) binding of hardware tokens to OIDC accounts #66
Labels
Comments
|
@dlorenc, is this something you want to explore still? I don't think we need to pursue this anymore since we encourage the use of ephemeral keys by default. |
|
We can drop this one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In sigstore/cosign#108, we're discussing support for yubikey and other PIV devices in our signing clients.
One feature of these devices is that they can produce a hardware-bound attestation certificate with a unique serial number from the manufacturer. It might be interesting to allow Fulcio's root CA to issue a longer-term device certificate that can bind these devices to the oidc account through some kind of registration process.
The actual signing keys on the devices can be reset/rotated more frequency, but it might be nice to somehow "lock" the device itself to the user with a multi-year, discoverable certificate on the tlog.
The text was updated successfully, but these errors were encountered: