Sigstore, Spx: Add notes about metadata format stability #632
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Both of these metadata formats (e.g. the data encoding and field names) are bsaically invented in securesystemslib: there is no community consensus on them yet.
jku
commented
Sep 1, 2023
The identity/issuer in the public key are the details that we verify in the signing certificate. The OIDC identity of the authentication token may be slightly different: * because of identity federation the OIDC issuer may be sigstore.dev but the verified (federated) issuer may be github.com * in the ambient credential case the authentication token identity does not necessarily match the sertificate identity Make it clear that import_() takes the "verifying identity" details.
Closed
MVrachev
approved these changes
Sep 1, 2023
|
SpxKey is currently used by the default as well... as in a client will accept SPHINCS keys by default right now. I'm tempted to remove that so that it's comparable to SigstoreKey: both client and repository would explicitly have to enable SPHINCS for those keys to work. |
Clients that want to enable SPHINCS keys can easily do that with
KEY_FOR_TYPE_AND_SCHEME[("sphincs", "sphincs-shake-128s")]: SpxKey
This makes Spx and Sigstore behave similarly.
|
I can't actually see who the maintainers are (GitHub is a bit silly in that) but I believe at least @adityasaky and @mnm678: could either of you review this? this is preparation for #631 |
No need to talk about TUF specification here: the point is that we're not sure if the key formats are final and have community consensus yet -- wherever that may form.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Both of these metadata formats (e.g. the data encoding and field names) are basically invented in securesystemslib: there is no community consensus on them yet.
I've also tweaked the sigstore docstring to be more exact
EDIT: I noticed SpxKey was part of the default key set: I'd rather err on the side of caution and not enable new keys automatically if we're not sure there is a consensus about the metadata format: I removed the key from default set