.png)
2 hours ago
1
I’m proposing EnvSecOps as a category and practice for Attestation-Based Identity (ABI): credentials are issued only when the requester presents fresh, nonce-bound evidence of environment compliance that passes policy—then expire fast. “Evidence → Policy → Token,” with a tamper-evident audit trail.
Explainer: What is EnvSecOps / ABI? Why it’s distinct from “short TTL + OPA” (https://dev.to/jl03/envsecops-what-it-actually-is-and-why-devsecops-wont-cut-it-43nh)
Status: I have a small research/reference implementation that demonstrates the flow and predicate shapes, but it’s not public yet. The goal is to converge on a portable on-wire spec, not to pitch a product.
Feedback I’m seeking:
Predicate must/should fields (e.g., materials digests, policy ref/hash, nonce, audience, signer identity).
PDP contract: minimal inputs/outputs so engines are swappable.
TOCTOU strategy: acceptable drift window, renewal cadence, revocation hooks.
Human ops-shell vs workload identity boundary (SPIFFE interop).
Auditor-friendly evidence bundle (token ↔ attestation ↔ policy version ↔ log inclusion).
Happy to answer questions; I’ll publish artifacts once the spec shape is less volatile.
