Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use proof-of-possession with OIDC tokens. #1056

Open
znewman01 opened this issue Mar 15, 2023 · 1 comment
Open

Use proof-of-possession with OIDC tokens. #1056

znewman01 opened this issue Mar 15, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@znewman01
Copy link
Contributor

znewman01 commented Mar 15, 2023
edited
Loading

To mitigate the risk of OIDC token replay, we could require proof-of-possession for the OIDC tokens. Two approaches:

  1. DPoPs (you may have to join sigstore-dev@googlegroups.com). Not ready yet.
  2. OpenPubKey: a neat trick for PoP without requiring the OIDC provider to change.

Once we have this, Fulcio could populate a "pop-verified" claim in the issued X.509 cert.

Bonus: OpenPubKey supports "Cosign-MFA" (not related to Sigstore's Cosign), which can prevent a malicious OIDC provider from issuing bad certificates.
@znewman01 znewman01 added the enhancement New feature or request label Mar 15, 2023
@OR13
Copy link

OR13 commented Mar 15, 2023

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop

@znewman01 znewman01 mentioned this issue Mar 17, 2023
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@znewman01 @OR13