Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine who is responsible for checking the Attestation payload #503

Closed
acamadeo opened this issue May 7, 2020 · 2 comments
Closed

Determine who is responsible for checking the Attestation payload #503

acamadeo opened this issue May 7, 2020 · 2 comments
Assignees
@alexcope @ooq @nenaddedic @acamadeo @treyridley
Labels
question Further information is requested

Comments

@acamadeo
Copy link
Contributor

acamadeo commented May 7, 2020
edited
Loading

Currently, VerifyAttestation both verifies an Attestation's signature and checks the contents of the Attestation's payload for the correct image digest.

  1. Determine if VerifyAttestation should be doing both things. If not, what information should it return to the user? Should it return the raw extracted payload? Should it return an AuthenticatedAttestation (which may provide type-safety for trustworthy Attestation contents)?

  2. Determine whether we want to provide any API at all for checking the content's of an Attestation's payload. If so, what would this look like?
@acamadeo acamadeo added the help wanted Extra attention is needed label May 7, 2020
@acamadeo acamadeo changed the title Flesh out AuthenticatedAttestation Determine who is responsible for checking the Attestation payload May 7, 2020
@acamadeo acamadeo mentioned this issue May 7, 2020
Merged
@ooq
Copy link
Contributor

ooq commented May 7, 2020

Thanks for documenting this!

@acamadeo acamadeo added question Further information is requested and removed help wanted Extra attention is needed labels May 7, 2020
@acamadeo
Copy link
Contributor Author

acamadeo commented Jun 3, 2020

  1. In the next iteration of the crypto library, VerifyAttestation should convert an attestation into an AuthenticatedAttestation and return it. It should not check the contents of the attestation or AuthenticatedAttestation. That will be the responsibility of the caller.

  2. It may be helpful to design a policylib library built on top of cryptolib, which would provide some sort of payload content checking options. This is not necessary at the moment, and cannot be fully fleshed out until rich attestations exist.

@acamadeo acamadeo closed this as completed Jun 3, 2020
@acamadeo acamadeo mentioned this issue Jun 3, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexcope alexcope

@ooq ooq

@nenaddedic nenaddedic

@acamadeo acamadeo

@treyridley treyridley

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexcope @ooq @nenaddedic @acamadeo @treyridley