sigstore/protobuf-specs#634
Trust root services can now have an "operator" identifier: clients can use this to correctly count thresholds -- so if there are e.g. three TSAs listed in the trust root but two have the same operator, they should only reach threshold of two.
This is mostly useful when
- client has a robust policy support with thresholds -- sigstore-python currently does not
- when there are multiple versions of a service: this will be true for rekor shortly
Because we don't really do thresholds this is not urgent but we could already make the code ready for this: when services are used to verify something, the operator fields should be available to the verification code -- in practice this likely means e.g. RekorKeyring needs to store operator for each key
sigstore/protobuf-specs#634
Trust root services can now have an "operator" identifier: clients can use this to correctly count thresholds -- so if there are e.g. three TSAs listed in the trust root but two have the same operator, they should only reach threshold of two.
This is mostly useful when
Because we don't really do thresholds this is not urgent but we could already make the code ready for this: when services are used to verify something, the operator fields should be available to the verification code -- in practice this likely means e.g. RekorKeyring needs to store operator for each key