We use an AWS KMS asymmetric key for the CA keys, they're cheap and avoids exposing the private key material in an any way.
For signing SSH certificates, we run a small service (prototype code dump at https://github.com/pardot/sshsigner) that uses this key to sign short lived certificates. Auth to the service is via OIDC issued ID tokens.
On the client side we have a custom SSH agent that uses an ephemeral in-memory private key. The agent manages the OIDC web flow and calling out to the service for signing on demand. This lets us keep the cert duration small and scoped, and allows us to force re-auth for sudo etc. via the web flow.
We also do a similar thing for host keys, IAM auth the instances and sign certificates.
Altogether works well, provides a nice user experience, and keeps long-lived/leakable creds out of out environment.
I migrated from the EU to the US, but then realised that once everything was factored in (medical, car, housing, cost of living) the taxes were actually worth it, so I moved back to the EU.
This is fine while you're employed, but what if you lose your position or decide to take a couple years off? Then it becomes a different equation.
Spread out over time, in the places I lived outside of the US that was not really a concern. Same with most other "social care" situations. In the US, it all felt a lot more tenuous which was a source of constant low-key anxiety.
S/MIME and PGP share the same basic problem: they provide a container for the basic public-key crypto primitives (signing and encryption) together with an identification of the public key and leave it at that. Throw on top of that tools that are usually uninterested in actually thinking about how policy decisions affect cryptographic security and you have an example of security theater.
I've seen similar projects that use S/MIME for identity management, but as seen from the README of the tool[0] the benefits of PGP's web of trust can be seen in unstructured environments. Online identities are perhaps the most unstructured environment, where aliases and personas are the norm.
For signing SSH certificates, we run a small service (prototype code dump at https://github.com/pardot/sshsigner) that uses this key to sign short lived certificates. Auth to the service is via OIDC issued ID tokens.
On the client side we have a custom SSH agent that uses an ephemeral in-memory private key. The agent manages the OIDC web flow and calling out to the service for signing on demand. This lets us keep the cert duration small and scoped, and allows us to force re-auth for sudo etc. via the web flow.
We also do a similar thing for host keys, IAM auth the instances and sign certificates.
Altogether works well, provides a nice user experience, and keeps long-lived/leakable creds out of out environment.