I’m happy to announce we have a new release of OpenPubkey (Release v0.3.0). I want to thank all 10 contributors whose hard work got this release over the finish line: @asamborski @EthanHeilman @lgmugnier @mrjoelkamp @jonnystoten and especially the new contributors: @johncmerfeld @kipz @tg123 @ymarcus93.
OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys. It adds user- or workload-generated public keys to OpenID Connect (OIDC), enabling entities to sign messages or artifacts under their OIDC identity.
And one of most important new features in this release is the support for using Guillou-Quisquater (GQ) signatures to bind public keys to ID Tokens. GQ signatures allow us to use OpenPubkey with any OpenID Provider (OP), even ones that don’t support customizable claims (like the nonce field used by Google and Okta, or the audience claim used by GitHub). While we already had added GQ Signatures to prevent ID Token replay attacks, this change required using GQ Signatures in a new way and allowed us to add support for Gitlab, our most requested feature.
This release consists of 44 Pull Requests adding major features such as:
- Support for using Gitlab as an OpenID Provider
- Guillou-Quisquater (GQ) Signatures
- Side Channel countermeasures
- JSON Key Thumbprint support
- MFA Cosigner that supports MFA with webauthn and FIDO devices
- OpenPubkey authentication in SSH and SSH certificate support
- Verifiers that can handle multiple OpenID Providers and Cosigners
- A complete overhaul of our tests including large numbers of new tests
- And a large number of bugfixes and minor improvements
See the full release notes for OpenPubkey v0.3.0. If you want to see what we have in store for upcoming releases see Release v0.31.0, Release v0.32.0 and Release v0.33.0
We invite anyone who wants to contribute to OpenPubkey to visit and star our GitHub repo. We are building an open and friendly community and welcome pull requests from anyone — see the contribution guidelines to learn more. If you are interested in contributing to OpenPubkey take a look at our list of Good First Issues or reach out to me.
See BastionZero in Action
BastionZero connects teams to resources and requires no additional infrastructure to deploy or manage. It is the first—and only—cloud-native solution for trustless access providing multi-root authentication while maintaining zero entitlements to your systems.
With BastionZero, you can reclaim your architecture from over-privileged third parties and ensure that the right people have access to the right resources at just the right time—every time.
Schedule a demo now to see how you can trust less and access more with BastionZero.
