From daca3c5975eb2d27a7ab9d754ece14bb364ba2b1 Mon Sep 17 00:00:00 2001 From: Aditya Sirish Date: Wed, 1 Jan 2025 16:51:26 -0500 Subject: [PATCH] content: Clarify types of identity management in source track Signed-off-by: Aditya Sirish --- docs/spec/draft/source-requirements.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md index 87240ac6b..444d968da 100644 --- a/docs/spec/draft/source-requirements.md +++ b/docs/spec/draft/source-requirements.md @@ -212,8 +212,13 @@ Exceptions are allowed via the [safe expunging process](#safe-expunging-process) ✓✓ Identity Management -There exists an identity management system or some other means of identifying actors. -This system may be a federated authentication system (AAD, Google, Okta, GitHub, etc) or custom implementation (gittuf, gpg-signatures on commits, etc). +There exists an identity management system or some other means of identifying +and authenticating actors. Depending on the SCS, identity management may be +provided by source control services (e.g., GitHub, GitLab), implemented using +cryptographic signatures (e.g., using gittuf to manage public keys for actors), +or extend existing authentication systems used by the organization (e.g., Active +Directory, Okta, etc.). + The SCS MUST document how actors are identified for the purposes of attribution. Activities conducted on the SCS SHOULD be attributed to authenticated identities.