alt Hacker NewsIt sounds neat, but I am uncomfortable with a central CA (Fulcio) and central log (Rekor). And I trust OIDC providers about as far as I can throw them. Granted, the whole point of a central audit log is to make misbehaviour apparent, but it still strikes me as the wrong direction.
I don’t have a useful proposal for a decentralised version, so I’m just kvetching at this point.
Also, neither X.509 nor JSON is great. We can do better. We should do better.
Replies
tuananh • 01/22/2025
you can deploy your own fulcio & rekor.
Check out sigsum.org for a simpler design with a stronger threat model.
As for building a decentralized append-only log, that would complicate the design and the threat model quite a bit. In particular it would make proofs of inclusion and consistency much less efficient.