Docker collaborates with BastionZero to establish the OpenPubkey project, which opens opportunities for users who log in via OpenID Connect (OIDC) to create their own public/private keys for signing documents or other files.
OpenPubkey is an endeavor to create a secure software development system, where each software component can verify the identity of the developer through digital signatures. Previously, a similar initiative called Sigstore was developed, which created a certification authority to authenticate users through OIDC login in order to issue keys for signing documents. However, OpenPubkey takes a different approach by eliminating the need for a certification authority and instead relying on the digital signatures of IdPs (Identity Providers such as Google, Azure AD, Facebook) to confirm authenticity.
During the OIDC login process, users have the ability to include any desired data in the nonce field. OpenPubkey suggests inserting the SHA-3 hash value of the public key in this field. This verification process ensures that the public key truly belongs to the user, similar to how an ID token is validated for various web logins.
Sigstore, OpenPubkey’s direct competitor, acknowledges that OpenPubkey is indeed simpler, but it does come with certain limitations. For instance, if an IdP changes the key used to sign the ID token, there will be no evidence linking it to the user’s previous keys. Another concern is the potential danger of including the ID token as a substitute for a public key. Although users can generate an ID token solely for the purpose of acquiring a public key, different services, like Facebook or Google, have varying degrees of access to user data. Some services may not thoroughly check the claim value that specifies the capabilities of an ID token, allowing users to access more data than intended.
Docker plans to incorporate OpenPubkey for signing containers in the future to enhance software security. Presently, the project is being managed by the Linux Foundation.
In conclusion, OpenPubkey, a collaboration between Docker and BastionZero, provides an opportunity for users to generate their own public/private keys through OIDC login. By leveraging IdP’s digital signatures, OpenPubkey aims to establish a secure software development system. While it simplifies the process, there are limitations to consider. Docker sees potential in OpenPubkey’s application for signing containers, emphasizing the importance of software security. Managed by the Linux Foundation, OpenPubkey is poised to make valuable contributions to the field.