Comment by tptacek

9 hours ago

It's exactly the tokenizer, but we shoplifted the idea too; it belongs to the world!

(The credential thing I'm actually proud of is non-exfiltratable machine-bound Macaroons).

Remember that the security promises of this scheme depend on tight control over not only what hosts you'll send requests to, but what parts of the requests themselves.

3 comments

tptacek

orf 5 hours ago

How does this work with more complex authentication schemes, like AWS?

svieira 8 hours ago

Did the machine-bound Macaroons ever get written up publicly or is that proprietary?

tptacek 8 hours ago

Like the Tokenizer, I think they're open source.
https://fly.io/blog/operationalizing-macaroons/