Hey
As I understand, the PKI is the most sensitive part of Istio - and a compromise root certificate allows a hacker to impersonate any service. How can I protect the root certificate? Something besides Vault CA integration? I’ll be happy to read more about the security model and have a deeper understanding - is there something like a public threat model available?
It really depend on the threat model - meaning, intuitively, I want to say that I would like to have HSM protections for the root CA. So either support for systems like Azure KeyVault or PKCS11. This will make it almost impossible to extract the keys and give built-in audit capabilities. As this is the root of trust of the authentication, this is pretty important.
I’m especially interested in understanding what safeguards there are with respect to self-signed certificates and if you execute any of the commonly known mitigations like certificate pinning.