You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ah, something that I think may be missing for Fulcio verification is the possibility of a detached SCT header. The public good Fulcio instance will always provide an embedded SCT (promise of inclusion from the CT log). However, private deployments may either specify a detached SCT or exclude CT entirely (which is not ideal, but depends on the set up). I think we need a lightweight sigstore_fulcio.proto (or at least a message in common.proto) that provides a certificate chain and an optional detached SCT - like https://github.com/sigstore/fulcio/blob/main/fulcio.proto#L153
To abstract away Fulcio entirely, we could just wrap X509CertificateChain in another message, such as:
message SignedCertificateTimestamp {
bytes sct = 1;
}
message CertificateVerifier {
X509CertificateChain x509_certificate_chain = 1;
// Optional, may be embedded in the leaf certificate in the chain
SignedCertificateTimestamp sct = 2;
}
message VerificationMaterial {
oneof content {
PublicKeyIdentifier public_key = 1;
CertificateVerifier certificate_verifier = 2;
}
}
or as its own proto, but I like the idea that Fulcio isn't a requirement, it's just that you need a certificate chain (from fulcio or any CA) and an SCT (from fulcio or your own CT log)
Ah, something that I think may be missing for Fulcio verification is the possibility of a detached SCT header. The public good Fulcio instance will always provide an embedded SCT (promise of inclusion from the CT log). However, private deployments may either specify a detached SCT or exclude CT entirely (which is not ideal, but depends on the set up). I think we need a lightweight sigstore_fulcio.proto (or at least a message in common.proto) that provides a certificate chain and an optional detached SCT - like https://github.com/sigstore/fulcio/blob/main/fulcio.proto#L153
To abstract away Fulcio entirely, we could just wrap
X509CertificateChain
in another message, such as:or as its own proto, but I like the idea that Fulcio isn't a requirement, it's just that you need a certificate chain (from fulcio or any CA) and an SCT (from fulcio or your own CT log)
See sigstore/cosign#1731 or sigstore/cosign#2382 for some comments on it.
Originally posted by @haydentherapper in #1 (comment)
The text was updated successfully, but these errors were encountered: