Hayden B
Hayden B
I think it would be good to sync on this to avoid duplicated work.
Now at a keyboard, so typing a bit more haha. Here's the current efforts, if I understand this ticket correctly and combining the ongoing work: * Adding support in Cosign...
Check out https://github.com/sigstore/fulcio/issues/624. This seems like a similar issue, whether or not include provenance into the certificate. Ultimately we decided that Fulcio should just be for identity, and provenance should...
I think this is a little different. For the source repo specification, we're looking at embedding a standard set of claims from source repos like GitHub/GitLab/etc that only refer to...
Interesting question! Supporting verification of fields that aren’t set by Fulcio sounds like out of scope for Cosign. Fulcio only sets SANs, not common name. I think this should be...
Feature incoming! https://github.com/sigstore/cosign/issues/1964
Small nit, I know I’ve been calling this paranoid mode, but we should probably call it something more enticing publicly, like “stronger verification” or something.
Another question, should we mandate that you provide a previous checkpoint for the consistency proof? I think yes, otherwise there’s not much point to the online lookup.
I don’t know if we need to prioritize this before there’s support for gossiping. I would like this mode to provide the strongest assurances against a malicious log.
So maybe two phases for this? One to add a flag just to say “online lookup”, and one to also gossip. I think this also fits in nicely with the...