BastionZero helps you break free from complexity with a cloud-native access experience that is simple to deploy, easy to use, and a breeze to maintain. BastionZero's Zero-Trust Infrastructure Access Platform connects teams to resources without risking the keys to your kingdom. With our multi-root trustless access protocol, you can reclaim your architecture from over-privileged third parties and ensure that the right people have access to the right resources at the right time. BastionZero is now part of Cloudflare.
External link for BastionZero (acquired by Cloudflare)
Boston, MA, US
BastionZero (acquired by Cloudflare) reposted this
📢 Huge news: BastionZero is now part of Cloudflare! 📢 We are thrilled to join Cloudflare to help more IT and security teams provide zero trust access to their servers and other infrastructure. Our next chapter is going to be bigger and better than all the ones before it! Learn about what’s next, press release in comments.
📢 Huge news: BastionZero is now part of Cloudflare! 📢 We are thrilled to join Cloudflare to help more IT and security teams provide zero trust access to their servers and other infrastructure. Our next chapter is going to be bigger and better than all the ones before it! Learn about what’s next, press release in comments.
Ephemeral infrastructure is reproducible - it is easy to deploy, scale and update. It also improves security and can reduce overall spend! Despite this, even with ephemeral infrastructure, engineering and DevOps teams may still require access to infrastructure to support debugging and forensics. Luckily you can use BastionZero for this. Read more about how in Ann Ming Samborski's latest blog here: https://hubs.la/Q02vx45y0
Read more about our standards work at the IETF in this new blog!
Founder/CEO at BastionZero (acquired by Cloudflare) | Product at Cloudflare | CS professor at Boston University
Our brand new IETF internet draft is making the rounds, so I’m excited to share a new blog explaining why Richard Barnes and I are introduced the PIKA: Proof of Issuer Key Authority. PIKAs allow us to cache and redistribute an OpenID Provider (OP)’s public keys. PIKAs are useful for #OpenPubkey, #oidc and many other places where you need a JWT. Today, if you want to verify any object issued by an OP, you need to request the OP public keys from an HTTPS endpoint. The OP has to be online and the HTTPS endpoint has to be available. This has performance and privacy issues, and makes it hard to verify objects that were signed by the OP In the past. PIKAs introduce a new reality where the process of obtaining the OP's public key can be done *offline* rather than being restricted to *online* only. The PIKA is a signed object that uses the Web PKI to prove that an OP’s public key really was issued by that OP. Specifically, in a PIKA ☑ the payload contains the OP’s public key, ☑ the header contains a certificate proving that the key signing the PIKA chains up to the root of the WebPKI. ☑ the signature is under the public key in the certificate You can cache and redistribute the PIKA, which 💡 reduces load on the OP and 💡 improves privacy (because third parties can verify objects without interacting with the OP), and 💡 supports applications that require caching or historical information about OP keys, which is important for software #supplychainsecurity. Nerd out with me in the blog linked in the comments below!
Following our massive #OpenPubkey v0.3 release, Ethan Heilman and Ann Ming Samborski cover highlights from the release and how you can get involved in the OpenPubkey community. #oidc #openidconnect #cryptography GitLab
Exciting technological breakthrough from our #openpubkey team!
We added GitLab (gitlab-ci) support to #OpenPubkey but how we did it is more interesting. Adding Gitlab-ci support to OpenPubkey required the use of a very cool #cryptography primitive invented in the 1980s called a Guillou-Quisquater (GQ) signatures. This cryptographic compatibility trick of using GQ signatures enables us to support for identity providers we never thought possible. I wrote a blog post explaining what GQ signatures are, why so valuable from a compatibility standpoint, and how we are using them to generalize OpenPubkey to any OpenID Provider. In fact, GQ signatures mean that in the future OpenPubkey might even be able to support non-#OIDC protocols like SAML! Thanks to Jonny Stoten John Merfeld and Joel Kamp who wrote the GQ signature library in OpenPubkey.
BastionZero (acquired by Cloudflare) reposted this
I'm celebrating today! We just pushed out a new release of OpenPubkey (v0.3.0). It was a long road getting here and it feels great to finally get this release out. Check out all the new features: 🧡 Gitlab is now supported! 🔏 Guillou-Quisquater (GQ) Signatures with strong side channel countermeasures 🗝 Webauthn and FIDO authentication 🐡 OpenPubkey authentication in SSH (now in an official release) and so much more. Thank you to everyone who contributed to this release: Joel Kamp, Jonny Stoten and James Carnegie (from Docker, Inc) Boshi Lian (from Microsoft) Ann Ming Samborski, Ethan Heilman, John Merfeld, Lucie Mugnier and Yuval Marcus (from BastionZero) For full details read the blog post on the new #openpubkey release:
BastionZero is proud to announce a new release of #OpenPubkey (Release v0.3.0), probably the biggest release we've ever done. The new release is packed with 44 PRs from 10 different contributors at BastionZero, Docker, Inc, and others. A key feature is support for Guillou-Quisquater (GQ) signatures to allow us to use OpenPubkey with any OpenID Provider (OP). As a result, we've also been able to add support for the GitLab OP. Read more about the release in our latest blog: https://hubs.la/Q02sGrxH0 #oidc #supplychainsecurity
Our team is proud to participate in the IETF standards process.
Founder/CEO at BastionZero (acquired by Cloudflare) | Product at Cloudflare | CS professor at Boston University
Really excited to share a new IETF internet draft that Richard Barnes and I submitted to the OAuth working group this week. We introduce PIKA: Proof of Issue Key Authority, to solve a problem relevant to #openpubkey, #oidc and JWTs in general. What's a PIKA and why do I care? (Beside the fact that it's always fun to return to my IETF roots?) Well, OpenPubkey uses PK Tokens to allow an OpenID Provider (OP) to bind user identities to user-held public keys. This essentially allows the OP to act like a certificate authority, without any changes to today's OIDC. PK Tokens are signed by the OP's signing keys. But, OP's rotate their signing keys over time (e.g. biweekly). What happens if we need to use a PK Token *after* the OP rotates signing key? This is where the PIKA comes in. In this draft, we introduce the PIKA and show how it can be combined with a timestamping authority to allow PK Tokens to be used even after the OP rotates it signing key. The PIKA is a secure object that allows you to cache the OP's key, and verify using the OP's key even if the OP is offline. And that's why I got interested in this work. But our solution is much more generic and widely applicable than to just OpenPubkey. PIKAs allow the verification of JWTs, ID Tokens and other OIDC Tokens without querying the OP directly. You can use them to reduce the load on a OP, or to build applications that require caching or historical information about OP keys. Historical information about signing key is a particularly important in #softwaresupplychain usecases. We're still digesting all the different ways that PIKAs can be used. Draft is linked below, feel free to get in touch if you have any feedback!
For our 2nd blog in a series highlighting high-availability (HA) features of BastionZero we focus on HA for database access. BastionZero treats each database as a virtual target (a target behind a proxy bzero agent in your environment). A simple BZ policy config allows you to set multiple proxy agents for each database, providing HA in case one agent goes offline. Read more in this 2-min blog: https://hubs.la/Q02s8fYP0 #zerotrust #databases #highavailability