Hayden B

Related to https://github.com/sigstore/fulcio/issues/66. We chose to not pursue this at the time since it encouraged developer-managed keys, which is not what the public infrastructure is focused on. This feature fits...

> I was suddenly curious about whether Fulcio supported long-term keys, and I was surprised that the spec [suggests](https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md#:~:text=A%20client%20MAY%20request%20a%20certificate%20with%20a%20long%2Dlived%20key%2C%20but%20a%20client%20MUST%20adequately%20secure%20the%20key%20material) it does. Correct, Fulcio does not track key usage so clients...

Can we select an image based on the architecture `docker-compose` is run on? Pinning is a good practice as tags are mutable. cc @cpanato

@bdehamer Thanks for the heads up. I would not make any breaking changes to the API, so we'll still write responses to the [detached SCT one-of message](https://github.com/sigstore/fulcio/blob/main/fulcio.proto#L149). I'll only mark...

There aren't many places where the signing algorithm is hardcoded. To give a quick overview, there's a few CA "backends" that implement signing logic given a key in some format...

> What do you think is the best way to handle this? We might just ignore this and accept that cosign will only work with sha256 and at some point...

There was an OID (https://oid-rep.orange-labs.fr/get/1.3.101.114) allocated in an earlier [revision](https://datatracker.ietf.org/doc/html/draft-ietf-curdle-pkix-03) of the RFC, but for whatever reason, it was removed. I assume this OID would be reused if it were...

Also this is going to be an issue when we want to experiment with PQ-signed certificates (not sure what sig algs are being used currently). I'd poke around cloudflare's codebase,...

From asking around, some more info: * Support for ed25519ph has stalled after it was not included in RFC8410. The reason, from the [working group summary](https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/shepherdwriteup/), is that they could...

I would recommend proceeding with certifying ed25519ph keys as ed25519. Since we're adding the feature to Rekor to allow hashedrekord + ed25519ph, any client that has dealt with ed25519 keys...