Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarified how clients should work with the trust root during rotations #210

Merged
merged 3 commits into from
Feb 2, 2024
Merged

Clarified how clients should work with the trust root during rotations #210

merged 3 commits into from
Feb 2, 2024

Conversation

kommendorkapten
Copy link
Member

Summary

Clarified how clients should interpret the trust root with respect to rotations of trusted material

Release Note

  • Clarified how clients should interpret the trust root with respect to rotations of trusted material

Documentation

N/A

ping: @loosebazooka @codysoyland @bdehamer @haydentherapper @woodruffw

haydentherapper
haydentherapper reviewed Feb 1, 2024
View reviewed changes
protos/sigstore_trustroot.proto Outdated
// order, that is, the oldest instance first. Only the last instance is
// allowed to have their 'end' timestamp unset. All previous instances MUST
// have a closed interval of validity. The last instance MAY have a closed
// interval.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last instance MAY have a closed interval.

What is the use case for this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't think of a good reason I wanted to do so, but as an example, the current Fulcio root expires Not After : Oct 5 13:56:58 2031 GMT and I think it should be ok to have that value as end.

And also this makes the language clear that clients must not treat the last instance with an open interval in any specific way.

protos/sigstore_trustroot.proto
//
// To be able to manage planned rotations of either transparency logs or
// certificate authorities, clienst MUST accept lists of instances where
// the last instance have a 'valid_for' that belongs to the future.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, thanks for mentioning this.

protos/sigstore_trustroot.proto Show resolved Hide resolved
woodruffw
woodruffw approved these changes Feb 2, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@haydentherapper haydentherapper merged commit 0440eff into sigstore:main Feb 2, 2024
25 checks passed
@kommendorkapten kommendorkapten deleted the clarify-rotations branch February 5, 2024 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kommendorkapten @woodruffw @haydentherapper