Identity-based Trust - Till Death Do We Part? - John Kjell & Kairo De Araujo
John Kjell, Kairo De Araujo
KubeCon + CloudNativeCon Europe 2025 · Session
In "Identity-based Trust - Till Death Do We Part?", John Kjell and Kairo De Araujo delivered a critical examination of modern software supply chain security, highlighting the evolution from traditional signing methods to identity-based approaches and beyond. The talk, presented at KubeCon EU, delves into the limitations of simply signing artifacts and champions a multi-layered strategy involving project **in-toto**, **The Update Framework (TUF)**, and **Sigstore** components like **Fulcio** and **Rekor**. Kjell and De Araujo demonstrate that while identity-based signing is a significant improvement, it alone cannot guarantee the integrity or safety of software.
AI review
This presentation by Kjell and De Araujo delivers a crucial, no-nonsense examination of software supply chain security, dissecting the limitations of identity-based signing alone and championing a multi-layered, integrated approach. They meticulously demonstrate how projects like Sigstore, in-toto (Witness, Archavista), and The Update Framework (TUF) must be combined with robust policy enforcement to achieve true software provenance, integrity, and, critically, revocation capabilities. The talk provides actionable insights for anyone serious about securing their software development lifecycle.