Hayden B

Sorry for the delay in a response. This is a great question, and I'll try to answer this as precisely as possible for future readers as well. Extra thoughts are...

ping @wlynch as the maintainer (though my 2c, method 2, though in practice method 1 is probably fine)

@woodruffw, @kommendorkapten and I had a discussion in https://github.com/sigstore/protobuf-specs/issues/444. There was some concern that providing only the hash of an attestation would lead to a lack of verification of the...

I agree with William. This PR is for the attestation case, but if this were for the "bare" case, that can be accepted. With that said, I'm realizing that Cosign's...

Agreed with @codysoyland on the suggested changes. You'll also need to update https://github.com/sigstore/cosign/blob/accc80a840524890790c5c368fee26e22ec60bda/pkg/cosign/verifiers.go#L79-L87 to remove the assumption the digest is `sha256`. > Note that subject.name is [not a required field...

Could you say more about the need for multiple SANs? Conceptually, there should be only one signing identity - a user or a CI platform. The certificate profile states that...

There's two concerns, one technical and one conceptual. In the certificate profile for Fulcio, which clients have coded against, we specify the a certificate should contain [one Subject Alternative Name](https://github.com/sigstore/architecture-docs/blob/main/fulcio-spec.md#73-issued-certificate)....