You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clarifications include:
* linking to the root-signing repository
* replacing "bundle" with "sig" for backwards compatibility
Signed-off-by: Marina Moore <mnm678@gmail.com>
Copy file name to clipboardExpand all lines: tap18.md
+5-7Lines changed: 5 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
-
* TAP:
1
+
* TAP: 18
2
2
* Title: Ephemeral identity verification using sigstore's Fulcio for TUF developer key management
3
3
* Version: 0
4
-
* Last-Modified: 27/07/2021
4
+
* Last-Modified: 07/02/2023
5
5
* Author: Marina Moore, Joshua Lock, Asra Ali, Luke Hinds, Jussi Kukkonen, Trishank Kuppusamy, axel simon
6
6
* Type: Standardization
7
7
* Status: Draft
@@ -41,9 +41,9 @@ In order to facilitate use of Fulcio, delegations may list an OIDC identity, suc
41
41
}
42
42
```
43
43
44
-
Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification.
44
+
Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification. For example, identity could be "hello@gmail.com" with an issuer "https://accounts.google.com".
45
45
46
-
The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore root of trust. The client MUST use a single Fulcio instance.
46
+
The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore [root of trust](https://github.com/sigstore/root-signing). The client MUST use a single Fulcio instance.
47
47
48
48
49
49
## Signature format
@@ -52,7 +52,7 @@ A signature using a Fulcio key MUST include the Fulcio certificate for use in ve
52
52
```
53
53
{
54
54
"keyid" : KEYID,
55
-
"bundle": BUNDLE
55
+
"sig": BUNDLE
56
56
}
57
57
```
58
58
Where BUNDLE is an object that contains the verification information (transparency log references or timestamps), Fulcio X.509 signing certificate, and a signature over targets metadata, conforming to the [format defined by Sigstore](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto). The transparency log verification information includes a signed timestamp (SET) from Rekor promising inclusion in the Rekor transparency log.
@@ -127,8 +127,6 @@ By default, clients will perform offline verification. They may choose to additi
127
127
128
128
Clients that do not recognize Fulcio certs will not be able to validate signatures from Fulcio certs, but they will be able to parse the metadata.
129
129
130
-
As `sig` was removed from `signatures`, parsing of the signatures will fail for old clients.
131
-
132
130
# Augmented Reference Implementation
133
131
134
132
The pull request [#181](https://github.com/theupdateframework/go-tuf/pull/181) in go-tuf adds this feature.
0 commit comments