Make it hard to accidentally not have a CT log

[znewman01]

Right now, if --ct-log-url is not passed, we don't set up the CT log:

https://github.com/sigstore/fulcio/blob/d43e0d948c1f26d9a6d910857c7ecb86b8980564/cmd/app/serve.go#L225

That feels easy to do accidentally. Should we require a --no-ct-log flag for testing or other environments without a CT log?

H/T @mnm678 and her student (whose GH I don't know)

[haydentherapper]

Sounds reasonable to me! Note, if in a private deployment you're using both Rekor and Fulcio, then you could avoid the need for a CT log if you leverage Rekor as a CT log.

[mnm678]

cc @Junochiu

[federico-falconieri-form3]

Sounds reasonable to me! Note, if in a private deployment you're using both Rekor and Fulcio, then you could avoid the need for a CT log if you leverage Rekor as a CT log.

@haydentherapper could you please elaborate further? Is there any documentation on how to use rekor as a ctlog? From the scaffold chart & docs I understood that ctlog is an entirely separate, necessary component from rekor

[haydentherapper]

This is a discussion on trust boundaries - If your log and certificate authority operate in the same trust domain (as in, if one gets compromised, the other is likely to also), then there's little value in operating a second log. However, note that the CT log and Rekor record different things - CT records issued certificates, Rekor records signing events. You could skip putting certificates into the CT log as long as you always are putting signing events into Rekor. Then an identity monitor only needs to monitor Rekor, not a CT log too.

As for how to set this up in scaffold, you can ask on our slack #private-sigstore-users channel.