[docs] Reference sigstore rekor/cosign/fulcio security docs in SPECIFICATIONS

[ianlewis]

From OpenSSF best practices:

The software produced by the project MUST use, by default, only cryptographic protocols and algorithms that are publicly published and reviewed by experts (if cryptographic protocols and algorithms are used). [crypto_published] These cryptographic criteria do not always apply because some software has no need to directly use cryptographic capabilities.

We should have some links to docs on sigstore project's use of cryptography and policies.