[Meta] Support for Timestamp Protocol verification #1182
Comments
|
Can I get a short explanation for the use cases:
vs
If the public good instance is not going to support this, is it worth the additional code and dependency in this client? |
RationaleThe idea is to use a Timestamp Authority to attest or verify when the signature has been generated. The current approach offers a way of verifying the signature time using the timestamp on the inclusion proof. However, this is unreliable because the time here is not verifiable. To quote the spec :
Using a dedicated Time Source (such as a TSA) separates concerns between the timestamp and logging. A TSA provides a cryptographically verifiable, trusted timestamp designed for this purpose (following RFC 3161). This is particularly important for the "hybrid model" of certificate verification described in the spec, where signatures must have a valid timestamp while every certificate in the chain up to the root is valid. And as an excellent point, it allows us to be more closely aligned with the spec:
This also improves the verification flexibility where we can now support three different scenarios :
Implementation designMost of the required components are already available in Sigstore's protobuf models, and the main part of the work is to do some plumbing. Some key choices : The workflow for verifying a bundle should not change. As specified in the spec, if the bundle embeds signed timestamps, they must be verified, or the verification will end with an error.
|
|
Thanks for the summary @DarkaMaul. Yeah, from my perspective this feature is primarily useful to the "BYO PKI" case: the Sigstore client spec says that a bundle can use an RFC 3161 timestamp as a source of verifiable time instead of the inclusion promise time, and (to my understanding) RFC 3161 deployments are "dime a dozen" at larger companies. I agree that this has marginal-to-no impact on public instances users, at least for the time being. The only case it might it if a public instance user directly modifies their trust config to require one or more TSAs, although I'm not aware of anybody doing that (or planning to) 🙂 |
Improve the support of
sigstore-pythonfor signing and verification APIs and CLIs for accepting signed time from a TSA versus an artifact transparency log (or both).Description
We developed a new
rfc3161-clientto perform the parsing and generation of the Timestamp Request/Response objects.This set of changes aims to integrate this new client into
sigstore-python. We'll split the contributions into several PRs to make their review slightly easier.TimestampVerificationDatamodelsTrustedRootto provide the Timestamps Authority information.trusted_root.jsonroot-signing#1268 , Signing event: sign/update-targets-1 root-signing-staging#156 )Add a CLI parameterrequire-timestampto trigger the verification/cc @woodruffw @facutuesca
The text was updated successfully, but these errors were encountered: