New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open device-attest-01 support #1707
Comments
Hi @benlongo, what exactly are you looking for? Our implementation of We currently do make a few assumptions, so it's possible some changes are required to make it work for more cases. I think we're open to suggestions there, if needed. |
Hi @hslatman, thanks for your response. I believe I have misinterpreted the contents of #1545 which to me seemed to suggest that a critical component was missing to implement |
I'd be happy with a simple example attestation CA service code and some documentation/examples that shows what the flow actually would be. When I played around with this it was all way to opaque for me to be able to figure out what bits go where. |
@hslatman We are also interested in documentation around using the device-attest-01 flow with TPMs, so any documentation you can provide would be much appreciated. |
We are developing a step-ca Pro edition, for commercial use. It's a drop-in replacement for step-ca and it will include more device identity and attestation features. Schedule a time to talk with us if you'd like to learn more! |
@tashian I'm interpreting your message as an indication that smallstep does not plan on making the TPM2 attestation workflows available in their open source packages. This seems to be contrary to @hslatman's previous comment which suggested that this was indeed part of the open source offering. I would be very disappointed if this is the case, but understand the business case for it. If you do not plan on open sourcing For what it's worth, I don't appreciate GitHub issues I've created being turned into sales pitches, and I don't anticipate other folks will appreciate it either. |
Hi @benlongo, thanks for the feedback. I admit it's tricky to find a balance because I want people to know that we have commercial options that may be a better fit for them, but I'm not here to pollute the conversation with ads. And I think you may have read a bit too much into my note, so I should clarify. My understanding of this issue is that we already have device attestation features in open source—some added very recently—that are not very well documented. Our docs contain approximately one paragraph about In the meantime, beyond our current docs, we have the following blog posts about device attestation, which might help you:
Now, on to the meat of the issue. It's true that we have no plans to release an open source TPM attestation CA, and if that's what this issue is really about, then we should close it. However, I understood the issue to be a bit more broad. So, while our focus on DevOps for Finally, I want to say with humility that this is a sensitive topic for us right now. We are 5 years into the development of |
@tashian thanks for the response - I do understand the difficulty in defining the boundaries both in broader scope, and where to split the line between commercial and open source. I also admit my understanding of the various pieces of the Perhaps it would be useful to explain my use case that ultimately motivated creating this issue because I think it is much more aligned with the scope of DevOps than MDM which feels more 'IT'. Our team has a large number of servers deployed at remote locations. These devices ultimately need to authenticate with AWS workloads. AWS offers IAM Roles Anywhere, and y'all even have an excellent blog post illustrating how to use this with step-ca: https://smallstep.com/blog/smallstep-and-aws-iam-roles-anywhere/. My ultimate goal is to utilize the TPM2 on these servers with From my perspective, this is definitely in the scope of DevOps, although it does share almost identical technical structure to the MDM use case. At a higher level, I think this kind of abstraction would be really useful for IoT device identity problems. ACME seems like a natural fit to me, and the use cases are definitely not restricted to just AWS. It seems possible to fully automate device enrollment with this kind of tech. I don't know if there's any kind of technical approach to split the IT customer segment from the DevOps segment here but I hope I've made the case for this feature in the step-ca repo. edit: |
Hello!
Issue details
#1545
Why is this needed?
There are many applications for device-attest-01 beyond just enterprise MDM, and it's a shame the implementation isn't open source.
The text was updated successfully, but these errors were encountered: