Skip to content

Fulcio draft #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 1, 2023
Merged

Fulcio draft #168

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
612582e
Add TAP number with minor clarifications.
mnm678 Feb 7, 2023
d422177
Add TAP 18 to index
mnm678 Feb 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
* [TAP 14: Managing TUF Versions](tap14.md)
* [TAP 16: Snapshot Merkle Trees](tap16.md)
* [TAP 17: Remove Signature Wrapper from the TUF Specification](tap17.md)
* [TAP 18: Ephemeral identity verification using sigstore's Fulcio for TUF developer key management](tap18.md)

## Rejected

Expand Down
12 changes: 5 additions & 7 deletions candidate-fulcio-tap.md → tap18.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
* TAP:
* TAP: 18
* Title: Ephemeral identity verification using sigstore's Fulcio for TUF developer key management
* Version: 0
* Last-Modified: 27/07/2021
* Last-Modified: 07/02/2023
* Author: Marina Moore, Joshua Lock, Asra Ali, Luke Hinds, Jussi Kukkonen, Trishank Kuppusamy, axel simon
* Type: Standardization
* Status: Draft
Expand Down Expand Up @@ -41,9 +41,9 @@ In order to facilitate use of Fulcio, delegations may list an OIDC identity, suc
}
```

Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification.
Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification. For example, identity could be "[email protected]" with an issuer "https://accounts.google.com".

The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore root of trust. The client MUST use a single Fulcio instance.
The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore [root of trust](https://github.com/sigstore/root-signing). The client MUST use a single Fulcio instance.


## Signature format
Expand All @@ -52,7 +52,7 @@ A signature using a Fulcio key MUST include the Fulcio certificate for use in ve
```
{
"keyid" : KEYID,
"bundle": BUNDLE
"sig": BUNDLE
}
```
Where BUNDLE is an object that contains the verification information (transparency log references or timestamps), Fulcio X.509 signing certificate, and a signature over targets metadata, conforming to the [format defined by Sigstore](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto). The transparency log verification information includes a signed timestamp (SET) from Rekor promising inclusion in the Rekor transparency log.
Expand Down Expand Up @@ -127,8 +127,6 @@ By default, clients will perform offline verification. They may choose to additi

Clients that do not recognize Fulcio certs will not be able to validate signatures from Fulcio certs, but they will be able to parse the metadata.

As `sig` was removed from `signatures`, parsing of the signatures will fail for old clients.

# Augmented Reference Implementation

The pull request [#181](https://github.com/theupdateframework/go-tuf/pull/181) in go-tuf adds this feature.
Expand Down