Please sign your artefacts. WITH WHAT?

UB5.132 | Day 1 | 10:30 - 10:55 | Speakers: Olle E. Johansson

Copy link

Please sign your artefacts. WITH WHAT?

Copy link

A picture of a devroom at FOSDEM 2024

Open in browser

Notes

Abstract

The world of SBOMs and software transparency artefacts - In-Toto attestations, VEX updates and much more - all mention digital signatures. But not with what and how we should validate these. One thing is for sure - we don't want to use the existing WebPKI. There are some interesting initiatives, like SigStore, but they do not solve all issues. It's time that we work on solving this problem and define a solution for digital signatures that is distributed, secure and trustworthy. This is a call for help!

Attachments

The presentation (PDF)

Speakers

Olle E. Johansson

Olle E. Johansson has over twenty years of experience in telecommunications, VoIP, and cybersecurity. Olle is active in open-source projects and standard forums, the founder of major appsec and network security initiatives, and a specialist for various categories of software bills of materials (SBOM).

Olle is active in OpenSSF, OWASP, Eclipse ORCWG, IETF and other forums. He is the leader of the Global Vulnerability Intelligence Platform project (GVIP-project) and tries hard to find a way towards a long term vulnerability management system that works for all stakeholders.

Links

External Links

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.