sigstore-go icon indicating copy to clipboard operation
sigstore-go copied to clipboard
verified publisher icon sigstore

Proposal to remove Type for SubjectAlternativeName

Open Hayden-IO opened this issue 1 year ago • 2 comments

Description

A user should not need to be aware of which "type" or GeneralName the subject is set in. Removing Type would simplify how a certificate identity is represented to be comprised of a subject and issuer only. This is also aligned with other Sigstore client implementations.

A similar conversation occurred in Fulcio previously (https://github.com/sigstore/fulcio/issues/716#issuecomment-1204549133), and the threat of "type confusion" was mitigated through CA enforcement that URIs look like URIs and emails look like emails, rather than client enforcement.

Relevant code:

  • https://github.com/sigstore/sigstore-go/blob/main/pkg/fulcio/certificate/summarize.go#L37
  • https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/certificate_identity.go#L72-L76

I'd like to discuss this, I'm fine if we ultimately decide there is value in keeping this, but with the goal of making breaking changes before a 1.0, wanted to raise this.

Hayden-IO avatar May 15 '24 22:05 Hayden-IO

cc @woodruffw since we've talked about related things many times

Hayden-IO avatar May 15 '24 22:05 Hayden-IO

+1 from me -- IMO type separation is good generally, and is best handled at the CA/issuance layer in this case rather than within individual clients.

woodruffw avatar May 15 '24 22:05 woodruffw