dlorenc

We should also document some easy to use "non-transparent" mirrors for internal use. We're planning to throw data into bigquery/pubsub as part of #191. We should document how others can...

Bumping to blocker

This looks great to me overall! Ping me when it's ready for a full review!

Note that when we roll this out, we'll want to do it in a few phases: * add support to the server * make cosign and rekor-cli and any other...

Can you clarify what you mean by federated access? There are a few different approaches I can imagine so I want to understand the use-case a bit more. Do you...

After rereading - I think you might be suggesting that we would want signatures to be present in **multiple** transparency logs. CT works this way - CAs must publish certs...

Yes - the quorum one could be enforced in a few ways. Publishers could write signatures to a few logs and get inclusion proofs before distributing signatures/artifacts. Clients could check...

At the same time, I think a lot of "internal mirror" setups don't need to be transparent. They're behind a firewall and operating on a trusted compute base for most...

OK - I think I understand this now. In certain cases, we could allow users to verify that an entry is in Rekor without needing hit the Rekor API. For...

This has come up a few times recently, and I just had a thought. What if instead of deprecation logs, we flip things around and add validity logs? I outlined...