Joost van Dijk, Yubico

Joost van Dijk, Yubico
Joost van Dijk, Yubico

One part of securing your software supply chain is to make sure that artefacts and developer commits are signed – but how does it all work? During this workshop, Joost van Dijk will take the participants through the world of digital signatures.

The workshop will explain the technologies and concepts involved, sush as PGP, PIV, FIDO, WebAuthn, SSH, PKCS#11, PKI, Certificates, and MFA.

It will focus on using cryptographic hardware, such as security keys, smartcards, and HSMs, with practical examples using FIDO Security Keys, YubiKeys, and YubiHSMs.

Some of the use cases that will be covered include:

  • Access to critical systems using SSH (e.g. GitHub, GitLab)
  • Web access to critical systems using passkeys
  • Signing git tags and commits
  • Signing software artifacts
  • Using attestation to prove signing hardware provenance
  • SSH and X.509 certificates for key management
  • Signing SBOMs
  • Signing Docker images

It will also touch on recent initiatives such as Sigstore and OpenPubKey.

Prerequisites: participants are expected to have working knowledge on cryptography, git, ssh, and using command-line tools.

nsse24-yubico-joostvandijk

Open Source Security Foundation

Print This Page Print This Page