sigstore_rekor: clarify inclusion_promise requirement #380

woodruffw · 2024-08-09T17:46:17Z

This clarifies the (expected) requirements around inclusion_promise slightly. In particular, it clarifies that inclusion_promise is optional if and only if another source of signed time is present. If no other source of signed time is present, then an inclusion_promise is required and MUST be verified.

For cross-referencing, this is the part of the Client spec that suggests this behavior:

Timestamping. Currently, the Transparency Service includes a timestamp in its response to the Signer. This timestamp comes from the Transparency Service’s internal clock, which is not externally verifiable or immutable. For this reason, a Signer SHOULD get their signatures timestamped. However, a Signer MAY choose to omit the timestamping step; in this case, the Signer MUST use the Transparency Service to provide a timestamp for the signature.

(NB: Like the other requirements on bundle formats/required fields, this requirement is for short-lived certificate instances of Sigstore, like the Public Good Instance. CC @haydentherapper for thoughts on if/how this can be better communicated -- I'm happy to add additional language here or in the sigstore_bundle.proto file!)

Signed-off-by: William Woodruff <william@trailofbits.com>

haydentherapper · 2024-08-09T17:53:03Z

protos/sigstore_rekor.proto

-        // Optional for >= v0.2 bundles, and SHOULD be verified when present.
-        // Also may be used as a signed timestamp.
+        // Optional for >= v0.2 bundles if another source of signed time
+        // is present.


One could interpret "another source of ... time" to be current time, but "current time" wouldn't be signed. We could be very prescriptive and say "When verifying long-lived certificates, the client MAY choose to not require a signed timestamp and instead use the system clock." Thoughts?

That sounds good to me! Updating.

Updated in d9edb63 -- it now talks about a "suitable" source of time, which can be either another signed time source or the current system time when the certs are long-lived. LMKWYT!

Signed-off-by: William Woodruff <william@trailofbits.com>

haydentherapper

Perfect, thanks!

sigstore_rekor: clarify inclusion_promise requirement

3b39d52

Signed-off-by: William Woodruff <william@trailofbits.com>

woodruffw requested a review from haydentherapper August 9, 2024 17:46

woodruffw self-assigned this Aug 9, 2024

gen: make all

2441465

Signed-off-by: William Woodruff <william@trailofbits.com>

haydentherapper reviewed Aug 9, 2024

View reviewed changes

rekor: clarify suitable sources of time

d9edb63

Signed-off-by: William Woodruff <william@trailofbits.com>

haydentherapper approved these changes Aug 9, 2024

View reviewed changes

woodruffw merged commit 0606c22 into sigstore:main Aug 9, 2024
24 checks passed

woodruffw deleted the ww/clarify-signed-time branch August 9, 2024 18:12

woodruffw mentioned this pull request Aug 9, 2024

Some 0.1 bundles fail to verify sigstore/sigstore-python#1088

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

sigstore_rekor: clarify inclusion_promise requirement #380

sigstore_rekor: clarify inclusion_promise requirement #380

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sigstore_rekor: clarify inclusion_promise requirement #380

sigstore_rekor: clarify inclusion_promise requirement #380

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!