slsa-framework
Specify a mediaType for SLSA attestations
Some tools require a mediaType for storing/transferring content like SLSA attestations. It would be useful if SLSA had a mediaType, either based on a registered domain, or ideally registered with IANA.
I think we should handle this at the in-toto level, since the SLSA Provenance is a layer inside. I'll close this in favor of https://github.com/in-toto/attestation/issues/271.
That feels backwards to me. My understanding is that would be a mediaType that names the envelope that happens to contain application data, rather than the application that happens to use an envelope. But we can have that discussion on the linked issue.
Update: We discussed the general topic of attestation media types at the in-toto community meeting last week. The decision from the in-toto side is to continue indicating the attestation type at the DSSE layer, with guidelines for indicating the predicate type as well. What those guidelines are is still TBD. Implementations or use cases that don't use signing/in-toto fall outside the purview of in-toto, so they can certainly use or define their own predicate-specific mediaType.
So, please feel free to re-open this issue if a SLSA-specific media type for Build L1 use cases is still needed.
Following the latest discussion on the in-toto end, it sounds like this issue needs to be re-opened for SLSA L1 use cases.