How to think about “Developer Identity Privacy”

[abandon1234567]

In Speranza (https://dl.acm.org/doi/pdf/10.1145/3576915.3623200) it is argued that Sigstore has a developer identity privacy leakage problem and a privacy friendly solution is proposed, but it also inevitably compromises the transparency that Sigstore provides.

How does everyone feel about transparency and privacy, please?

My personal view is that if transparency is compromised, there could be more serious security consequences.

[bobcallaway]

Within Sigstore, we see dramatically higher usage of workload identity VS personal identity (via email). We'd like to continue to make privacy-related improvements for the use cases that require personal identity, but strongly encourage to use workload identity where possible.