From 612582e5e793cb004f5c77f46137a593adebcf84 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Tue, 7 Feb 2023 13:16:15 -0500 Subject: [PATCH 1/2] Add TAP number with minor clarifications. Clarifications include: * linking to the root-signing repository * replacing "bundle" with "sig" for backwards compatibility Signed-off-by: Marina Moore --- candidate-fulcio-tap.md => tap18.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) rename candidate-fulcio-tap.md => tap18.md (98%) diff --git a/candidate-fulcio-tap.md b/tap18.md similarity index 98% rename from candidate-fulcio-tap.md rename to tap18.md index 07ab4bc8..37f5fcf1 100644 --- a/candidate-fulcio-tap.md +++ b/tap18.md @@ -1,7 +1,7 @@ -* TAP: +* TAP: 18 * Title: Ephemeral identity verification using sigstore's Fulcio for TUF developer key management * Version: 0 -* Last-Modified: 27/07/2021 +* Last-Modified: 07/02/2023 * Author: Marina Moore, Joshua Lock, Asra Ali, Luke Hinds, Jussi Kukkonen, Trishank Kuppusamy, axel simon * Type: Standardization * Status: Draft @@ -41,9 +41,9 @@ In order to facilitate use of Fulcio, delegations may list an OIDC identity, suc } ``` -Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification. +Where IDENTITY is the OIDC identity of the party who is authorized to sign and ISSUER is the OIDC entity used by Fulcio for verification. For example, identity could be "hello@gmail.com" with an issuer "https://accounts.google.com". -The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore root of trust. The client MUST use a single Fulcio instance. +The root certificate or certificate chain for the Fulcio server MUST be obtained using the Sigstore [root of trust](https://github.com/sigstore/root-signing). The client MUST use a single Fulcio instance. ## Signature format @@ -52,7 +52,7 @@ A signature using a Fulcio key MUST include the Fulcio certificate for use in ve ``` { "keyid" : KEYID, - "bundle": BUNDLE + "sig": BUNDLE } ``` Where BUNDLE is an object that contains the verification information (transparency log references or timestamps), Fulcio X.509 signing certificate, and a signature over targets metadata, conforming to the [format defined by Sigstore](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto). The transparency log verification information includes a signed timestamp (SET) from Rekor promising inclusion in the Rekor transparency log. @@ -127,8 +127,6 @@ By default, clients will perform offline verification. They may choose to additi Clients that do not recognize Fulcio certs will not be able to validate signatures from Fulcio certs, but they will be able to parse the metadata. -As `sig` was removed from `signatures`, parsing of the signatures will fail for old clients. - # Augmented Reference Implementation The pull request [#181](https://github.com/theupdateframework/go-tuf/pull/181) in go-tuf adds this feature. From d42217724f8b58a095bc4c406611f0e499c137d5 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Tue, 7 Feb 2023 16:30:49 -0500 Subject: [PATCH 2/2] Add TAP 18 to index Signed-off-by: Marina Moore --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7eb34aee..fbe4d22b 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ * [TAP 14: Managing TUF Versions](tap14.md) * [TAP 16: Snapshot Merkle Trees](tap16.md) * [TAP 17: Remove Signature Wrapper from the TUF Specification](tap17.md) +* [TAP 18: Ephemeral identity verification using sigstore's Fulcio for TUF developer key management](tap18.md) ## Rejected