"Contrary to this there’s: “use Facebook to log in and sign the supply chain.” This just doesn’t sound right to us"
You're not using facebook to sign the supply chain. The signing operation uses ecdsa. You're exchanging an ID-Token for a OIDC scope where OIDC is simply a form of identity and is one of many supported. . sigstore also supports multiple key mgmt approaches. Keys can be stashed in a cloud KMS (azure, GCP, AWS, Vault, k8s secrets) or created within a PCKS11 hw dongle, you could even stick them on the blockchain if you want.
"Logs stored on servers are centralised by nature. This means that, by inherent design, all their critical operational infrastructure relies on many potential points of failure."
Not really true, there are multiple approaches to dealing with points of failure, rekor has a sharding API should a log become corrupted. Rekor uses trillian , which is the same backend as used by CTL's and those things are critical infrastructure and there is plenty of operational prior art. CTL's are run by cloudflare, google and facebook : https://certificate.transparency.dev/howctworks/
"Fucio is another point of failure. As it is a certificate rotating tree: if the service halts — there is no access to OpenID secrets and users cannot sign certificates."
Fulcio has no data store and does not persist any certs. There is no certificate rotating tree is, certs are short lived and stored in the tlog.
"However, there is one point of paramount importance: only on the blockchain is it possible to prove ‘order of time.’"
We have a timestamping service
"In turn, if the registry is out of service — users are unable to even download the manifest."
Not true, sigstore provides offline bundles which folks already use in airgapped environments. The DoD are leveraging this approach via Rancher Government Solutions
There is a lot more wrong here, but those are the most obvious to me.
Like we said in the original article, if someone can come up with a compelling blockchain PoC, we would love to see it. That's the great thing about OSS, anyone can contribute code and share it with others.
There are a few things that need correcting here:
"Contrary to this there’s: “use Facebook to log in and sign the supply chain.” This just doesn’t sound right to us"
You're not using facebook to sign the supply chain. The signing operation uses ecdsa. You're exchanging an ID-Token for a OIDC scope where OIDC is simply a form of identity and is one of many supported. . sigstore also supports multiple key mgmt approaches. Keys can be stashed in a cloud KMS (azure, GCP, AWS, Vault, k8s secrets) or created within a PCKS11 hw dongle, you could even stick them on the blockchain if you want.
"Logs stored on servers are centralised by nature. This means that, by inherent design, all their critical operational infrastructure relies on many potential points of failure."
Not really true, there are multiple approaches to dealing with points of failure, rekor has a sharding API should a log become corrupted. Rekor uses trillian , which is the same backend as used by CTL's and those things are critical infrastructure and there is plenty of operational prior art. CTL's are run by cloudflare, google and facebook : https://certificate.transparency.dev/howctworks/
"Fucio is another point of failure. As it is a certificate rotating tree: if the service halts — there is no access to OpenID secrets and users cannot sign certificates."
Fulcio has no data store and does not persist any certs. There is no certificate rotating tree is, certs are short lived and stored in the tlog.
"However, there is one point of paramount importance: only on the blockchain is it possible to prove ‘order of time.’"
We have a timestamping service
"In turn, if the registry is out of service — users are unable to even download the manifest."
Not true, sigstore provides offline bundles which folks already use in airgapped environments. The DoD are leveraging this approach via Rancher Government Solutions
There is a lot more wrong here, but those are the most obvious to me.
Like we said in the original article, if someone can come up with a compelling blockchain PoC, we would love to see it. That's the great thing about OSS, anyone can contribute code and share it with others.