We should do this before making a public release that includes TSA/timestamp support:
- Explicitly document our signing policy: when signing,
sigstore-python will attempt to contact every TSA in the trust root, obtain a signed timestamp, and will embed those signed timestamps in the bundle
- Explicitly document our verification policy: when verifying,
sigstore-python will attempt to verify each timestamp response, but only requires a threshold of 1-of-N. Moreover, the integration time from the tlog itself is still treated as a source of signed time.
I think the only open question is where in the code/docs these notes should live 🙂
CC @jku
We should do this before making a public release that includes TSA/timestamp support:
sigstore-pythonwill attempt to contact every TSA in the trust root, obtain a signed timestamp, and will embed those signed timestamps in the bundlesigstore-pythonwill attempt to verify each timestamp response, but only requires a threshold of 1-of-N. Moreover, the integration time from the tlog itself is still treated as a source of signed time.I think the only open question is where in the code/docs these notes should live 🙂
CC @jku