BastionZero‘s OpenPubkey, which is a new cryptographic protocol that’s designed to fortify the open-source software ecosystem, is now a Linux Foundation open-source project. Docker is also integrating OpenPubkey, so that you can use it for container signing. This innovative cryptographic technology promises enhanced security through zero-trust passwordless authentication.
OpenPubkey provides this authentication by making a client-side modification to OpenID Connect. Connect is an authentication protocol based on the OAuth 2.0 framework. Together, these technologies simplify how programmers can verify a user’s identity. The OpenID Token can then be committed to a user-held public key. This key transforms an ID Token into a certificate that cryptographically binds an OpenID Connect identity to a public key.
This “PK Token” can then be used to sign messages, and these signatures can be authenticated and attributed to the user’s OpenID Connect identity. Essentially, OpenPubkey transforms an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA).
This process makes any application using OpenID Connect for authentication much more secure without any other changes. OpenPubkey is transparent to users and OpenID providers. An OpenID provider can not even determine that OpenPubkey is being used. This makes OpenPubkey fully compatible with existing OpenID providers. This compatability includes Google, Azure/Microsoft, Okta, OneLogin, and Keycloak. This project is not adding any new OpenID Connect trusted parties.
OpenPubkey is already being used to authenticate signed messages and identities for users with accounts on Google, Microsoft, Okta, and OneLogin. By augmenting OpenID Connect, OpenSubkey will enable users and workloads to sign artifacts under their OpenID identity. This capability is instrumental for applications requiring secure remote access and software supply chain security features, including signed builds, deployments, and code commits.
That level of application all sounds good in practise, but you should keep in mind that even OpenPubkey’s reference implementation is a work in progress. For example, the OpenPubkey client still needs support for the Github OpenID Provider, the Azure OpenID Provider (OP).
Jim Zemlin, the Linux Foundation’s executive director, is enthusiastic about hosting the OpenPubkey Project: “This initiative is poised to be a cornerstone in enhancing the security fabric of the open-source software community.” Zemlin extended an invitation to developers and organizations to join hands in this collaborative venture aimed at amplifying software supply chain security.
TestifySec, a prominent cybersecurity player. has endorsed the initiative. Cole Kennedy, CEO of TestifySec, commended the OpenPubkey approach of enabling easy and reliable signing: “The collaboration between Docker and BastionZero has our unwavering support. We are optimistic about the immense benefits the broader community stands to gain.”
Interested in learning more about getting OpenPubkey ready for production? Check out the OpenPubkey GitHub page and get to work. This is an authentication and security project that shows a lot of promise.