[00:00.000 --> 00:17.000]  Be quiet. This is James Strong and Luis Denham Patty. What does Sarak have to do with Sixth
[00:17.000 --> 00:24.360]  Store? Hello everyone. My name is James Strong and we're going to talk about rugby and Sixth
[00:24.360 --> 00:29.360]  Store today. But something really interesting is happening today right now. So Seven Nations
[00:29.360 --> 00:34.480]  started today and Wales and Ireland are playing. What's the score right now, Lewis? I think we
[00:34.480 --> 00:39.520]  should concentrate on the talk. I think it would be most enjoyable. Last time we checked it was
[00:39.520 --> 00:47.680]  327 in Ireland. Where are you from? Wales. Anyway, awesome. So I guess my name is James Strong. I'm
[00:47.680 --> 00:52.680]  a solutions architect at Changar. I do a bunch of stuff with networking and Kubernetes. And if
[00:52.680 --> 00:57.400]  you're here to win the book, meet me outside afterwards. If you sign a container image during
[00:57.400 --> 01:02.000]  the talk and come hang out with me, I've got five copies of my book. So sign your container
[01:02.000 --> 01:08.080]  images, everyone. And if I broke your Ingress Engine X release on Thursday, I apologize. Please
[01:08.080 --> 01:16.040]  don't come outside and hang out with me. Hi, everyone. I'm Lewis. I'm similar to James in
[01:16.040 --> 01:23.000]  Waze, not in others. As well as being at Changar, I'm the coach for Rebina Squirrels under eight
[01:23.000 --> 01:29.600]  rugby team. That's why I'm listening today to a talk about six-door and rugby from myself. Yeah,
[01:29.600 --> 01:32.720]  if you weren't mind keeping the score away from me with Wales versus Ireland right now,
[01:32.720 --> 01:39.000]  that would be beneficial for my own sanity. Yes, next slide, please. So yeah,
[01:39.000 --> 01:43.360]  at Changar, we support a lot of open source projects. We're talking today about six-door,
[01:43.360 --> 01:49.440]  but we're also part of Salsa, doing some assessments for it. We've got Tecton, K-native,
[01:49.440 --> 01:56.880]  OpenSSF, and Disturbance. Does anybody use any or all of those? I do. There's a couple
[01:56.880 --> 02:01.600]  on there that aren't listed, like I said, Ingress Engine X. Changar supports me to support Ingress.
[02:01.600 --> 02:05.320]  We also have our own container image out there. It's called Wolfie. You can check that out,
[02:05.320 --> 02:11.640]  wolfie.dev. But like I said, we're going to talk about six-door and rugby today. Okay,
[02:11.640 --> 02:17.360]  so who here has heard of six-door prior to walking into this room? Okay, we got a couple. Thank
[02:17.360 --> 02:22.320]  you for coming. Who here has heard of rugby today prior to coming into this room? Yes,
[02:22.320 --> 02:29.000]  hello. Right, so when we submitted this talk, James found this very special diagram, and when
[02:29.000 --> 02:34.720]  we zoom in, we can see the similarities between six-door and rugby for this talk. Incidentally,
[02:34.720 --> 02:41.600]  this lasts about 22 minutes, hence why we've had such a long introduction. So what do people think
[02:41.600 --> 02:46.040]  rugby is? It's really not doing a haka. It looks cool and intimidates your opponents,
[02:46.040 --> 02:50.440]  but that's not really what it is. It's a very difficult game with highly specialized positions,
[02:50.440 --> 02:56.280]  and it was required to help everyone work together to achieve a goal, and that's really what we
[02:56.280 --> 03:01.680]  think six-door is and what we want to talk about. So there's lots of components about it, and we
[03:01.680 --> 03:05.280]  think that six-door is tackling supply chain security, and we're going to talk about how,
[03:05.280 --> 03:10.400]  why, and hopefully make it fun along the way, and learn a little bit about rugby and six-door,
[03:10.400 --> 03:17.480]  and probably a lot about neither. So why is six-door tackling supply chain security? It has
[03:17.480 --> 03:21.880]  started to improve the supply chain technology that we all use. It's made by open-source
[03:21.880 --> 03:27.240]  maintainers, for open-source maintainers. A lot of you may not be aware, but a lot of things are
[03:27.240 --> 03:31.320]  being signed right now, so thank you to Adolfo there from SIG Release for signing all of the
[03:31.320 --> 03:38.280]  Kubernetes releases with SIG Store. Thank you. It was a lot of hard work. I know PIPI, a lot of
[03:38.280 --> 03:42.560]  package maintainers are going to be supporting that. I know that Maven, so there's a lot of people
[03:42.560 --> 03:46.400]  that are using six-door. You might not even be aware that you're using it, but it's a direct
[03:46.400 --> 03:53.800]  response to some of the challenges that are there right now. So who here has had someone else sign
[03:53.800 --> 04:01.080]  their GPG key? Been through assigning parties, two, three people, four? Okay. I was really glad
[04:01.080 --> 04:05.560]  not everyone shot their hand up because that would have been really fun. Anyway, we're going to talk
[04:05.560 --> 04:13.960]  about how we're going to be doing that. So, again, not knowing where your software comes from, and
[04:13.960 --> 04:20.400]  without having identity checks and safety protocols, it's leaving our, well, we're leaving it open to
[04:20.400 --> 04:26.160]  explode some attacks. So, six-door attempts to make software and their infrastructure frictionless
[04:26.160 --> 04:35.960]  and invisible. And as James just mentioned, we're integrated with a wide range of systems.
[04:56.160 --> 05:11.960]  to an identity and know where it came from and who made that piece of software. And just like in
[05:11.960 --> 05:17.720]  six-door, Rugby also has lots of positions that are available, highly specialized. I play a hooker,
[05:17.720 --> 05:23.120]  that's much different than what a fullback would do. We all have different responsibilities to be
[05:23.120 --> 05:28.840]  able to win the game. So we're going to tie those two together. I'm going to start off at the very
[05:28.840 --> 05:37.280]  top of the play. So we're going to talk about trust routes. So with signing, we also require
[05:37.280 --> 05:44.920]  trust. So knowing who is making available this piece of software. So think of it from a PKI
[05:44.920 --> 05:51.080]  perspective. We have a route of trust in SSL certificates. What we're also trying to accomplish
[05:51.080 --> 06:00.880]  with six-door is that same route of trust. So think of automated software for SSL certificates.
[06:00.880 --> 06:07.240]  I was thinking of Johnny Sexton. Oh, Johnny Sexton. That's not the answer. But think of it from that
[06:07.240 --> 06:11.560]  perspective. So six-door has a route of trust. It was initialized with TOF. So the update.
[06:11.560 --> 06:16.440]  Let's Encrypt. Let's Encrypt. Thank you. Thank you for that. Let's Encrypt. Think about six-door as
[06:16.440 --> 06:21.680]  Let's Encrypt for software signing artifacts, making it easy and transparent for everyone to use.
[06:21.680 --> 06:27.440]  So the fly-half is very influential player on the field. And in order to start that route of trust,
[06:27.440 --> 06:33.320]  we have to have that trust there. So there's a bunch of links there. We actually did a live stream
[06:33.320 --> 06:37.760]  of the six-door key signing. If you want to figure out how they initialized that and did all that
[06:37.760 --> 06:45.640]  work, that's a great YouTube video from that. So going from the fly-half to the loose-head,
[06:45.640 --> 06:50.760]  from a play perspective, they're going to be the certificate authority. So now we've got our route
[06:50.760 --> 06:56.520]  of trust. We have our certificate authority to be able to produce those certificates to sign those
[06:56.520 --> 07:01.720]  artifacts. So a lot of responsibility is on the CA from that perspective. And of course, being a
[07:01.720 --> 07:05.760]  loose-head, you carry a lot of weight on the team. You're very important into the scrum. So again,
[07:05.760 --> 07:15.360]  very important position on the team. So OITC allows us to identify the end user. We obtain
[07:15.360 --> 07:22.320]  some basic information about the user. And Falsio uses OITC to authenticate requests. Subject
[07:22.320 --> 07:28.320]  related claims can be extracted and included on the certificate. Six-door runs a federated OITC
[07:28.320 --> 07:36.120]  identity provider in DEX, which creates a DEX OITC token from the original OITC. Falsio supports
[07:36.120 --> 07:41.760]  OITC from additional configured users. Issues, sorry, as we can see from the screenshot. And the
[07:41.760 --> 07:45.840]  play that we selected for this was Martin Castro Giovanni. Does anyone know if Martin Castro
[07:45.840 --> 07:52.280]  Giovanni? No. Okay, well, there's something learned today. He's a massive identity within the Italian
[07:52.280 --> 07:56.400]  game, even though he's originally from Argentina. And the reason I selected him is because you can
[07:56.400 --> 08:01.920]  identify him because of his sleeve with all the identities of his family members on his arm. Next
[08:01.920 --> 08:10.560]  one. And so now we've come to Falsio. Falsio is the API that drives all of this, that ties the OITC
[08:10.560 --> 08:15.000]  and the certificate authority together. So when you're making a request to get a signing certificate,
[08:15.000 --> 08:20.040]  you're doing it through Falsio. And we put that together with the hooker. And yes, I was self-serving
[08:20.040 --> 08:26.280]  that is me. And do feel sorry for that guy. So Falsio is a free code signing certificate
[08:26.280 --> 08:30.160]  authority. Anyone can make a request to get a signing certificate, tie it to their identity,
[08:30.160 --> 08:36.400]  and make it available for everyone to verify. They are short-lived certificates, so that's
[08:36.400 --> 08:40.280]  going to come into play from another piece of technology perspective. We're going to talk a
[08:40.280 --> 08:45.800]  little bit more about that with RECORE. So with RECORE, it provides a new ability with
[08:45.800 --> 08:50.720]  ephemeral certificates. It's based on a Merkle tree, and it fulfills the transparency log,
[08:50.720 --> 08:54.920]  which means that it's searchable for all. So you can use that URL there to be able to search
[08:54.920 --> 08:59.720]  via a browser, or you can use RECORE CLI to be able to search. So for this one, I'm looking
[08:59.720 --> 09:04.160]  towards Martin Johnson. Again, as a Welsh person, for putting all these names out, it's quite
[09:04.160 --> 09:08.000]  difficult for me. But Martin Johnson was a powerhouse for England. He was a captain who
[09:08.000 --> 09:13.160]  led them to numerous victories. But the reason why this is comparable to RECORE is he went
[09:13.160 --> 09:17.080]  on to a successful coaching career as well, providing insights for the next generation
[09:17.080 --> 09:22.960]  that has to hire to play the game. Yes, next slide, please.
[09:22.960 --> 09:27.840]  So we want to take some time and talk a little bit about how a developer interacts with that.
[09:27.840 --> 09:34.520]  So when we think about it from a rugby perspective, the scrum half is the connector between the
[09:34.520 --> 09:40.120]  forwards and the backs from that perspective. And cosine is that glue that ties all of these
[09:40.120 --> 09:44.960]  pieces together. Think of it like a QCTL, right? You don't actually directly interact
[09:44.960 --> 09:50.200]  with the API. You do it through QCTL. Cosine is how you do that with Pulseo and RECORE
[09:50.200 --> 09:56.400]  and the rest of the other six-door environments. So you can actually sign and verify signatures.
[09:56.400 --> 10:01.440]  It also creates in-toto attestations. So if you wanted to generate and sign other metadata
[10:01.440 --> 10:06.280]  about your container images, maybe how many CVEs are in it, if you're generating an S-Bomb,
[10:06.280 --> 10:10.040]  things like that, other metadata, you can make available, sign it, and store it with
[10:10.040 --> 10:15.280]  the container. All of that can be done through cosine. And we're not talking about just container
[10:15.280 --> 10:20.360]  images as well. That's where it's highly targeted right now, but you can also sign other pieces
[10:20.360 --> 10:25.160]  of information. So when I send, as for fun, when I send documents to clients nowadays,
[10:25.160 --> 10:31.160]  I also sign it, and it generates the hash of the document and the signature, and they
[10:31.160 --> 10:36.800]  know that that document came from me. So it's basically a free DocuSign.
[10:36.800 --> 10:42.160]  So this is Gareth Edwards. He was an influential player in the 70s, played 88 consecutive games
[10:42.160 --> 10:49.600]  for Wales, and one of the key reasons to our success in the 70s, not so much in the 2020s.
[10:49.600 --> 10:53.800]  And yes, the Scrum half is instrumental in communicating between the backs and the forwards
[10:53.800 --> 10:58.640]  within a game, which I can also see with Cosine. Not necessarily Cosine and Rugby, but yes,
[10:58.640 --> 11:01.440]  the next slide.