Collaborate Disseminate
Are there any Open-Source Hardware Security Modules (meeting OSHWA requirements)?
I’ve worked with Utimaco HSMs, but I’m not a big fan of closed-source hardware — especially when it comes to security but also out of principle.
Moreover, I… Continue reading Open-Source Hardware Security Modules (HSM)
What are the possible ways to protect an organization’s web servers from a DDoS attack without giving away your web server’s https private keys?
Many of the common solutions for DDoS protection of a web server (eg CloudFlare) require you t… Continue reading Webserver DDOS protection without giving away private keys (https, tls, ssl)
Does the snapd package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified beca… Continue reading Does snapd enforce cryptographic authentication and integrity validation by default for all packages? (debian, ubuntu)
Does the built-in apt package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?
My understanding was that software downloaded with apt-get packages would be cryptogra… Continue reading Does apt-get enforce cryptographic authentication and integrity validation by default for all packages? (debian, ubuntu)
What are the best guides available for how to create and maintain an enterprise X.509 PKI setup for an organization?
I’m looking for some guide that comprehensively covers how to setup and manage a CA hierarchy. It should cover:
Does the npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps ask… Continue reading Does npm (Node.js package manager) provide cryptographic authentication and integrity validation?
Does the yarn package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps as… Continue reading Does yarn (Node.js package manager) provide cryptographic authentication and integrity validation?
How can I execute docker pull (with Docker Content Trust enabled) such that it fails if the image doesn’t have a valid signature using the private key corresponding to (or subordinate to) the public key that I provide?
I just discovered th… Continue reading How to pin public root key when downloading an image with docker pull (Docker Content Trust)?
How can I list all of the Docker Content Trust root keys on my system?
I am setting up a CI process that will use the debian:stable-latest docker image to build my application’s releases in ephemeral cloud instances. I want to make sure th… Continue reading How to list all of the known root keys in docker (Docker Content Trust)
Is there a source that monitors popular root stores for CAs controlled by government agencies?
There are several "root stores" that maintain a list of trusted root CAs. These root stores are imported and used by thousands (millio… Continue reading Where can I find a list of all government agencies with CAs in PKI root stores?