Date: Wednesday, March 20, 2024 - 9AM/12PM PT/ET | Google Meet Link
Participants:
- Ethan Heilman (BastionZero)
- Lucie Mugnier (BastionZero)
- Ann Ming Samborski (BastionZero)
- GitLab CI Support
- Solving OP Key Rotation In GitHub Using GitHub Action Commitments
- Additional Use Cases
- Any Other Business (AoB) and Questions
Ethan Heilman covered the following slides:
- Unlike GitHub, GitLab does not allow us to set
audclaim to create a new pubkey every time. - Using a GQ-only binding, we use the GQ signature to bind the user's commitment public key to the id token.
- You MUST delete the RSA signature because for GQ-only bindings, it can be used to geenrate another GQ PK token.
- PR is available as a draft! Find it here. Comments and feedback welcome and encouraged!
NOTE: The following slides presented by Ethan Heilman are experimental. The community is highly encouraged to review them and provide feedback!
- This proposal doesn't solve where you store this info nor how you distribute it. This deals with removing trust only.
No additional use cases were raised during this community meeting.
- Discussion to continue on the Durable OP Key draft in next month's community meeting. Stay tuned on Slack in the
#openpubkeychannel.
No action items were generated from this community meeting.