You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In sigstore/cosign#108, we're discussing support for yubikey and other PIV devices in our signing clients.
One feature of these devices is that they can produce a hardware-bound attestation certificate with a unique serial number from the manufacturer. It might be interesting to allow Fulcio's root CA to issue a longer-term device certificate that can bind these devices to the oidc account through some kind of registration process.
The actual signing keys on the devices can be reset/rotated more frequency, but it might be nice to somehow "lock" the device itself to the user with a multi-year, discoverable certificate on the tlog.
The text was updated successfully, but these errors were encountered:
In sigstore/cosign#108, we're discussing support for yubikey and other PIV devices in our signing clients.
One feature of these devices is that they can produce a hardware-bound attestation certificate with a unique serial number from the manufacturer. It might be interesting to allow Fulcio's root CA to issue a longer-term device certificate that can bind these devices to the oidc account through some kind of registration process.
The actual signing keys on the devices can be reset/rotated more frequency, but it might be nice to somehow "lock" the device itself to the user with a multi-year, discoverable certificate on the tlog.
The text was updated successfully, but these errors were encountered: