Posted by mfrw 4 days ago
Well, now you are managing CAs. Sure, it's short lived but it's not different than having a policy for rotating your SSH keys
I'm only saying this because after 20+ years as a sysadmin I feel like there have been no decent solutions presented. On the other hand, to protect my IaC and Gitops I have seen very decent and mature solutions.
That's sctrictly worse from a security point of view.
In an ideal world we would have private CAs and short-lived certificates that get bubbled through all the layers of the software stack. Going back to webapps and tokens is a step backwards.
I do however think this leads to a lot of problems when those companies try to protect their business models, as we are seeing a lot of today
https://github.com/openpubkey/openpubkey
BastionZero just builds on top of that to provide a “seamless” UX for ssh sessions and some auditing/fedramp certification.
Personally, not a fan of relying on CF. Need less centralization/consolidation into a few companies. It’s bad enough with MS dominating the OS (consumer) space. AWS dominating cloud computing. And CF filling the gaps between the stack.
They didn't "build on top of"--they built the thing.
OpenPubkey, or in general? Normal SSH CAs don't do PKI like browsers use, you make and trust your own CA(s). And if an attacker can compromise your CA private key, why can't they compromise your SSH private key directly?
That said, CAs actually really help with that problem, because if a server has its host keys signed with a CA and then the user trusts that CA then they don't have to TOFU the host keys.
Isn't this what many of the companies do?
And by ZeroTrust they really mean OneTrust: trust CF. A classic off-by-one error :-)