|
|
|
|
|
|
by russell_h
3689 days ago
|
|
|
Author of the blog post here. I wasn't at the talk, but had the same question. BLESS, as released, appears to be intended to drop onto an AWS bastion host and recommends an AWS IAM role to authenticate the bastion to the Lambda function that acts as the CA. Like you mention, there are a lot of limitations to that, but its still a neat demonstration of using ephemeral client certificates without having to spin up a bunch of infrastructure. At ScaleFT we're building a solution on the same principles that offers some of what you're talking about out of the box: 1. Authenticating users against a variety of SSO systems
2. Treating bastions as nothing more than an untrusted TCP proxy
For me the critical takeaway though, is that whatever automation you're layering on top, client certificates make great ephemeral access tokens and they're increasingly catching on. Its just a matter of building the right automation, integrations, and tooling on the client to make the experience good. |
|
|