guildhouse-spire-plugins

tking/guildhouse-spire-plugins

SHA256

Fork 0

Commit graph

Author	SHA256	Message	Date
Tyler J King	f0268305ae	docs(spire): revocation cascade timing + Keylime SPIRE server config Document the trust withdrawal cascade: Keylime breach → posture degraded → sessions downgraded → SPIRE re-attestation fails → SVIDs expire → service mTLS fails → quorum degrades No new code for the cascade — it's emergent from existing re-attestation behavior + the Keylime attestor plugin. SPIRE federation handles cross-edge propagation through standard certificate expiration. Three timing profiles: Standard (~1hr), Enhanced (~15min), Critical (~5min) with SVID TTL configuration guidance. Example SPIRE server config with Keylime attestor + k8s_psat fallback for nodes without hardware TPM. Signed-off-by: Tyler King <tking@guildhouse.dev> Signed-off-by: Tyler J King <tking727@gmail.com>	2026-04-15 20:36:00 -04:00

Author

SHA256

Message

Date

Tyler J King

f0268305ae

docs(spire): revocation cascade timing + Keylime SPIRE server config

Document the trust withdrawal cascade:
  Keylime breach → posture degraded → sessions downgraded
  → SPIRE re-attestation fails → SVIDs expire
  → service mTLS fails → quorum degrades

No new code for the cascade — it's emergent from existing
re-attestation behavior + the Keylime attestor plugin.
SPIRE federation handles cross-edge propagation through
standard certificate expiration.

Three timing profiles: Standard (~1hr), Enhanced (~15min),
Critical (~5min) with SVID TTL configuration guidance.

Example SPIRE server config with Keylime attestor + k8s_psat
fallback for nodes without hardware TPM.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>

2026-04-15 20:36:00 -04:00

1 commit