Tom Hennen

[json-schema.org](https://json-schema.org) seems to be the thing. We _could_ define schemas using it and then power some or all of the validation using the associated tooling. Not sure how folks feel...

Here's an example of what the json-schema for in-toto _statements_ would look like: ``` json { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://in-toto.io/Statement/v0.1.schema.json", "properties": { "_type": { "description": "TODO", "type": "string", "const": "https://in-toto.io/Statement/v0.1"...

> A JSON object should consist of static keys with values. Can you provide a reference to where that restriction is indicated? I don't see it at json.org or in...

Hey William, Can you provide a concrete example? I'm afraid I don't quite follow as I don't think about statements as being boolean logic (but I'm not really a math...

@adityasaky said it all much better than I could. The only thing I have to add is that the [validation model](https://github.com/in-toto/attestation/blob/main/docs/validation.md#validation-model) might help clarify things here?

Yeah I'd be supportive of something like this. Is inheritance strictly necessary? I suspect we can probably meet existing needs without it, but maybe you have something in mind that...

Chatted about this at the maintainers meeting today. 1. We're generally for moving the VSA from SLSA to in-toto (and generalizing it in the process) 2. SLSA specific things, if...

Note that I think @adityasaky also previously expressed some interested in having the in-toto verifier emit VSAs but I don't know if that's gone anywhere yet.

We've had some discussions about this internally and I put this together to share those thoughts here in case it helps: https://docs.google.com/presentation/d/1_1ikfSaja87-Qx2ev26DYdiNgS6AEvVFO92oSwNGvJ8/edit?usp=sharing Comments welcome.

It occurs to me that the [Parsing rules](https://github.com/in-toto/attestation/tree/main/spec/v1#:~:text=Unrecognized%20fields%3A%20Consumers%20MUST%20ignore%20unrecognized%20fields%20unless%20otherwise%20noted%20in%20the%20predicate%20specification.%20This%20is%20to%20allow%20minor%20version%20upgrades%20and%20extension%20fields.%20Ignoring%20fields%20is%20safe%20due%20to%20the%20monotonic%20principle.) would seem to do this already? Independent reconstruction would seem to be incompatible with the requirement to ignore unrecognized fields?