attestation icon indicating copy to clipboard operation
attestation copied to clipboard

Published 20 hours ago verified publisher icon in-toto

Attestation Context\Meta-data\Meta-information

Open dn-scribe opened this issue 3 years ago • 0 comments

Following #58 here, opening the mentioned issue.

The statement-level meta-data should hold enough information to enable:

  1. Simple policy decisions that are agnostic to the predicate details.
  2. Enable a first level of indexing of the attestations for later recall.
  3. Enable parsing of the predicate.

The current mandatory fields in the statement level are the subject and the predicate-type, which is, as a matter of fact, the predicate-media-type.

Fields that could be of use at the statement level include: Predicate abstract type - "sbom", "provenance" Predicate media type - the exact format (uri) (for SBOM- SPDX, SPDX-Lite, CycloneDX, for provenance - slsa-provenance) When was the attestation taken: Timestamp #46 Where was the attestation taken: Location in pipeline - . I suggest an abstract location and a specific location: the abstract context could be a string with recommended values (user workstation, git-server, build machine etc.), and the specific context could be some machine ID. Project id - could be a url such as https://github/myproject or simply a string set by the entity creating the attestation. There is a difference between the project id and the subject; the subject would typically be an artifact, but a project may produce many subjects. One could of course use multiple subject fields (as supposed to be supported), but that is not natural. An application specific object field - it is always convenient to have a placeholder for a generic object for implementation-specific. As I understand this is supposed to be supported see the parsing rules, but it would be better not to rely on the "undefined" but to explicitly define an application-specific object placeholder.

Such fields enable elaborated policies at the statement level (for example: require an sbom produced at build, without caring about the SBOM details), and would enable indexing to support searching attestations: search by project, subject, time, part of pipeline etc.

What are the attestation community thoughts about this?

dn-scribe avatar Dec 21 '21 08:12 dn-scribe