Hayden B

Why do we need signed timestamps? Are we gaining much benefit from this? If we're publishing the commit to the log, we have a witness to the signing. The added...

If we're stuck with RFC 3161, then I'd recommend using a third-party TSA, probably not by default and probably making it configurable. On the note of by default, this gets...

Planning to take a look at spinning up a rfc3161 server soon. I don’t think this is blocked though, you can easily use a third party TSA, and frankly it’s...

@znewman01, are you saying that a Verified check mark occurs when using a TSA? I ask cause i don’t remember seeing this in the docs, I just saw info about...

Is it possible to make identity visible when inspecting the signature in the UI? I’ve seen only the common name and organization, which makes it hard to quickly verify the...

Looking into this, we should have all the shard-specific information to verify an inclusion proof. Take two examples from staging, `9398b28cbfedb3aa3b5d27b88376f68928ca33fbcd14be6f6aa235346d744ccf` and `fea892f7ac038b3a9d38a6fbc744fd727290d473960e13d8be9f1ce1b0815c04`. The first entry was uploaded before sharding...

Yes for (1). For (2), we should also decide what verification from Cosign should be a part of a Rekor client, for example, verification of the SET.

I'd prefer this either live in Rekor or sigstore/sigstore. Given it's intertwined with TUF, I think sigstore/sigstore in the best option for now. Long term, I think tlog verification should...

cc @asraa

Relevant links: * https://datatracker.ietf.org/doc/html/rfc3628 - For a TSA policy * https://www.rfc-editor.org/rfc/rfc3161 - RFC for 3161 * https://datatracker.ietf.org/doc/html/rfc5816 - Updates for certificate inclusion to 3161 * Use of RFC 3628's policy...