Align Client Fallback Behavior for Deprecated ECDSA Algorithms in v3 Bundles #1415
Comments
|
what a mess. I see @woodruffw had this opinion in March:
|
|
Am I correct that this is not just about supporting "deprecated" combinations of key size and hash algo, but also that the signing certificates are just incorrect: they claim to be using another hash algorithm but actually use SHA-256? |
|
@jku Correct, specifically with Rekor on our side. But both are valid issues I believe For example, within the signed target trust root we have |
Some v3 bundles were created using ECDSA key types (P384, P521) paired with SHA-2 hash functions that are not considered standard or recommended. These combinations (e.g., P384 with SHA256, P521 with SHA256) are now considered deprecated as shown here
Currently:
sigstore-go has implemented a fallback strategy (see sigstore/sigstore-go#424) that attempts multiple hash combinations (e.g., SHA256 and SHA384 for P521).
sigstore-python and potentially other clients do not implement this fallback, and fail to verify certain valid v3 bundles signed with these combinations.
We should consider implementing the same fallback logic across clients to ensure consistent verification behavior for existing v3 bundles.
Specifically:
For P384: try both SHA256 and SHA384
For P521: try both SHA256 and SHA512
Discussion Points
Do we want to add fallback to sigstore-python?
Should fallback be the standard behavior for v3 clients?
Is it worth standardizing this behavior in the spec to avoid ambiguity?
The text was updated successfully, but these errors were encountered: